Spamhaus Provides Answers: Part 2
As some readers are aware, several months ago Steve Linford, chief executive of anti-spam organization Spamhaus, agreed to field questions from Magill Report readers.
More than 60 questions were submitted. Linford answered 14 of them in March. Then Spamhaus came under what has been described as the largest DDoS, or distributed-denial-of-service attack, in Internet history.
As a result, the folks at Spamhaus got a little distracted from answering questions from Magill Report readers.
I am happy to report that Linford was kind enough to supply a new round of 33 answers this week. I will run them in three parts over the coming weeks.
Also, as some readers will remember, the comments under the first Spamhaus installment got so out of hand, I decided to shut them down. I’m leaving the comments enabled for this piece for now. We’ll see what happens.
The rest of this post is from Spamhaus:
Where were we when we were so rudely interrupted by 300Gbps of packet love? Ah yes, onward with the rest of these questions and answers! Please see our comments at the beginning of the first set of Q&A in the March 19, 2013 Magill Report. Those same thoughts apply to all these answers.
15. It's clear from Spamhaus 'recent SBL listings' tracking list that the vast majority of SBLs are related to criminal behavior, most of which involves truly nefarious and malicious activity. It's also clear from most of Spamhaus ISP 'users' that they no longer deliver most 'spam' or even 'bacn' to the Inbox and their filters are highly customized to identify unwanted messaging from dedicated IP address senders. So why does Spamhaus continue to believe that their resources should be spent blocking legitimate commercial email where there is clearly a larger need to maintain focus on the criminal actors, as well as the diminishing needs by their 'users' to block legitimate (ie; dedicated and transparent) commercial emailers?
Background: Working for an ESP, we sometimes get reports that a client has hit a spamtrap owned by Spamhaus. After we vet the account, obtain list origins and determined it's an account we can help resolve the issue and not a bad actor that got through our self-service filters, we need to understand the best way to proceed. We 100 percent understand the purpose of spamtraps and make sure it is a client we trust doing everything else correctly and maybe just have an old address or a typo mixed in within their list.
What a dissertation of a question! There are quite a few assumptions, guesses, assertions and the like in those statements which we'd have to fully qualify in order to do the question justice. For instance, what is is "bacn"? Perhaps "bacon," a pork-product many people want? Spamhaus has no such category in its DNSBLs.
Regarding criminal behavior, yes, virtually every SBL listing involves actions which are criminal in many jurisdictions including most of Europe, for example: Spamming.
Since "legitimate commercial email" does not include spam, there is an inherent contradiction in the premise of the question.
Some of our data users do "customize" their filters, as well as use our data in a variety of ways, but that's not a reason for us to change our data. In fact, changing our data in response to their filters is likely to force them to have to change their filters again, and that's no help for either us or them.
As far as stopping spam from mainstream brands reaching end-users' inboxes, we're glad to offer our assistance to anyone using our data for that purpose, just as we are for any spam.
Ultimately, we find that our users do not want any kind of spam in their inbox, not botnet spam, not mainsleaze spam, not advance-fee-fraud (aka "419") spam sent essentially "by hand," not phish, not clubs or churches or associations trying to pad their membership roles; none of it! We also find plenty of shades of gray, from people such as the questioner who had one customer with one bad address to less responsible mailers, and we find that the camel's nose does not instinctively wish to leave the warm tent, and we find that ignoring the problem doesn't make it get any better. So, we do what we tell our users we do - we list spam sources. It works for us and our users, and so that is why we do it.
Let's consider these next four questions as a set due to related issues of web (HTTP) interactions:
16. Can you confirm that spamtraps do not open, click or otherwise show engagement? In other words, if a client does have a spamtrap within their list, would removing or double opting in inactive subscribers help eliminate the trouble address?
Removing inactive addresses might help reduce spam, and re-confirming the list would certainly achieve that result. More about "open" and "click" issues in a moment!
17. Do they open/render images on emails they receive? If so, how would they expect a marketer to distinguish that from real engagement?
We expect marketers to verify the recipient's permission before they add the address to their list. "Real engagement" would seem to entail some very tangible human action, for instance purchasing a product or service. We reserve the right to view spam messages including any rendering necessary for a person to interpret the content of the message. (Some spam only identifies its advertising content by rendering an image.) We don't think that viewing a message in any way infers consent to send bulk mail to that address.
18. Ditto for clicks. do they follow any of the links in the emails they receive?
Some of our spamtraps have systems which follow links under specific conditions related to CBL/XBL listings. Some spamtrap messages are reviewed by humans who may manually follow links to further investigate the spam (redirectors, affiliate programs, final landing sites, etc.). Most of our spamtrap systems, including those which primarily detect the sort of ESP/mainstream traffic that most legitimate marketers are engaged in, do not engage any HTTP traffic. We are careful to not follow links for confirmed opt in challenges, and the manual investigations represent a nearly immeasurably small fraction of the total spam we're investigating, so those web hits are extremely unlikely to affect legitimate ESP metrics on real, valid subscribers.
19. If a marketer is mailing to a purchased list of all actively engaged recipients (opening and clicking their emails regularly), do they still run the risk of hitting spam traps?
First off, a "purchased list" should immediately raise flags. Sale of email address lists is illegal in many jurisdictions and in most cases such sale exceeds any permission granted by the address owners. Selling a list to more than one buyer (thus multiplying the number of lists each address is subscribed to) is well outside our acceptable permission standards.
Consider a pathologic case of a clever spammer with purchased opt-out lists. She could carefully watch which addresses were opened and build a list completely free of non-opening traps. Would that list be legitimate? Would it have the recipients' permission? Hardly! Opening a message does not confirm permission.
With respect to the above group of questions, the use of web bugs or other techniques not involving intentional consent by the recipient is illegal in the European Union. Marketers have no legal way to know whether one of their messages was viewed by an EU user unless a direct and conscious action to inform them was made by the user (e.g. confirmed opt in). The very act of including a web bug in an email is illegal, let alone interpreting a click on the web bug as an expression of implied consent! Generally speaking, any and all consent requires an active human action. Not even submitting a form with a pre-ticked 'subscribe' box on a web site is considered a valid expression of consent: a user has to do the _action_ of turning on the tick before submitting the form. The 9 year old European Commission privacy document has all the basics (i.e., using purchased email lists is illegal, etc).
Another aspect to consider is the actual HTTP function used to gather such information. The GET function is best used only for retrieving information. As any automated function can complete a GET call, it is inherently insecure as a measure of human interaction. The POST function is a better choice for functions requiring a change of state, for example verifying permission. Using the POST function does not expose the per-recipient identifiers to automated collection and, in confirmed opt in, it requires human action to complete the subscription, thus verifying the user's permission. More information about GET and POST functions can be found on these pages:
20. Does Spamhaus report traps hit immediately? For example, if a long standing client is reported for hitting traps, is it safe to say it was from a recent upload or signups?
If something changed on your end shortly before an SBL listing, it's probably a good idea to consider that it could be related. But, as mentioned in a prior answer, an SBL could happen any indefinite time period after spam commenced; we might not see or notice the first hits. You should at least take a look for other poor practices on the affected client or list which could have been ongoing prior to the SBL listing. Also, "immediately" in SBL terms could be an hour or a day or three; it's a manual process and listings don't occur in the same "real time" sense as XBL or CSS.
21. Besides typo, harvested, purchased, and recycled spamtraps, is there any other way a trap would appear in a client's list?
It is entirely possible; spammers have been known to be quite imaginative about where they get their addresses. So are we.
E-pending is a bad idea (PDF). We've seen offers for a service to build a list based on simply inventing email addresses for given domain names. Dictionary attacks are not uncommon. Waterfalling, contrary to some opinions, does not remove all spamtraps. "Verification services," while possibly legitimate and well intentioned, still don't take the step of confirming the address owner's permission. And ultimately, it's real user mailboxes which matter most, not spamtraps.
22. What if someone manages to identify a spam trap's identity and enroll it on a competitor's mailing list? How lenient is Spamhaus to these issues knowing they exist?
It is not possible to enroll any address in a Confirmed Opt In list without the address owner's permission, so defending against such an attack is easy and we encourage all list owners to do so. We recognize the difference between confirmation requests and advertising.
We do not reveal trap addresses and have not witnessed the described process as an abuse vector affecting SBL listings (although we have heard of many list problems with forged subscriptions). We hear lots of claims to be able to identify spamtraps but little evidence.
In rare cases where traps have been inadvertently revealed, we burn that trap indefinitely, sometimes permanently, but always until we are confident that the data it produces is reliable and effective.
If you honestly feel that such a situation explains your SBL listing, you may certainly mention it in your removal request, and explain why, but we will still expect strong measures be taken to ensure that no other forged subscriptions are on the list and that it won't happen again.
Where the rubber meets the road is not spamtraps but real users' mailboxes, and they can get forge-subbed and list-bombed, too. We have seen--and many of us have experienced--list-bombs where forged subscriptions result in hundreds or thousands of messages in a single mailbox in a few hours. Do you really think any user should be forced to "unsubscribe" from lists they never subscribed to or have any knowledge about?
23. Currently, we understand that typo-traps are being monitored by Spamhaus, but that they are mainly being used to advise marketers on the risks of mailing non-confirmed opt-in. Are there any plans over the next year to increase the blocking frequency and severity on marketers mailing to typo-trap addresses and domains?
As we have done for over ten years, we intend to continue turning the screws on spam, as tight as we are able. While classifying various kinds of traps may offer solace to people who do not adequately control their subscription processes, SBL listings are not based on such artificial distinctions. With all the attention recently given to so-called "typo-traps," we continue to see marketers hitting many other types of emails address: long-dead accounts, purchased lists, their own suppression lists, other people's suppression lists, addresses seeded into various systems to catch e-pending and other address dissemination, message-IDs, and just complete nonsense delivery attempts where we are not sure how the marketer botched their list.
Again, all the emphasis on spamtraps is rather misplaced. While traps are one way to detect spam problems, the goal of legitimate mailers should be to only send to fully opt-in subscribers, not simply to avoid spamtraps. If only spamtraps received spam and user mailboxes were completely free of it, Spamhaus would have no reason to exist.
24. Can you confirm that Spamhaus has a lower tolerance for newly allocated domains and IPs?
Reputations, good and bad, are built over time. Experience has shown us--as well as the receivers we talk to--that giving "benefit of the doubt" to newcomers in the bulk mailing world is a proposition bound to perpetuate spam, so reputations tend to start out poor before they become neutral or good. Consider why snowshoers change domains and IPs so often.
25. Based on a sender's business model, reaching out to their customers every 2, 3, or even 4 years may be necessary or applicable business practice. (example: purchasing a new car, TV, kitchen appliance). If this is necessary business practice, how can a sender do this safely without risking hitting too many traps?
Snail mail! The average life-expectancy of an email address is around six months*, so for many consumer applications such as those examples, email is unlikely to be a reliable channel. Other practices which would help would be COI and more frequent engagement mailings. We are aware of lists, even fairly large ones, which mail at low frequencies yet experience normal delivery, but those tend to be professional interest lists where subscribers are more comfortable providing such long-term personal info. Also, keep in mind that with truly low sending rates, the odds of those mailstreams coming to our attention are greatly diminished.
*Off-hand word-of-mouth for many free webmail accounts.
[Editor's note: I want to thank Steve Linford for taking the time to answer readers' questions. He is under no obligation to do so. The third installment of this series will run next week.]