"It typically takes from 1,000 to 10,000 spams to make one sale. If you buy from a spammer, you are PERSONALLY responsible for the next 1,000 to 10,000 spams sent...

"Including the porn spam sent to your kids."


TalkBiz News
Issue for April 23, 2002


While it stirred up a lot of controversy, the article "You HAD Mail" wasn't an end in itself. It was a way to introduce you to one of the problems that threatens the use of email for businesses and consumers both. A way to show you the serious impact of just one badly misused tool on a business that's affected by that misuse.

Spam Assassin is the example, not the issue.

The bad news is that there are dozens of ways that the spam problem can result in your mail, whether sending or receiving, getting dumped as unceremoniously as a blind date with bad breath.


The Spam Wars


Make no mistake: If it's possible for the word "war" to apply in a virtual environment, it applies to the battle between spammers and the rest of the net.

It's an arms race, in which the technophiles try to stop spam with software, while the spammers create new and ever sneakier ways to force their mail into your face.

An awful lot of collateral damage results from this. To put it in less military terms, you could be losing a lot of mail that you wanted.

In fact, with the amazing amount of nonsense going on online, it's almost guaranteed.


Who Are The Players?


There's a major problem with this war. Most people don't have a clue who's on which side, and they don't know where to get a score card.

The "legit" spammers will try to make you think it's just the porn spammers and "con artists" who are at fault. The DMA wants it to be slanted toward favoring their members over the little guy. The zealots think that no commercial email is good, even if you asked for it, and the kooks... well, they're random variables, just like offline.

They're all jockeying for position, and very few of these folks are paying attention to the effect their position will have on email users, or the network itself.

They want what they want, the way they want it, and they want it now. To hell with anyone who disagrees with them, and to hell with anyone who gets in their way. Frontier justice is the rule of the day.

And we wonder why things are so crazy?


Geeks vs Marketers


The old-timers have a different perspective. They built this Internet thing (many of them), and they want it back the way it used to be. They see marketers as the death of the "Net as it was."

They remember the phase of growth they liked the most. Very few of them look back to the very beginnings with fondness. The days when access was strictly limited, and the Internet was a government project, designed to ensure the survival of the Command, Control and Communications structure of the US military in case of a nuclear war.

I remember 300 baud modems the size of a laptop. Computer time was so valuable that you typed in lower case because hitting the shift key slowed you down, and acronyms were required to conserve on disk space. I remember hard drives costing hundreds of dollars per megabyte, and arcane software that only a true Alpha Geek could love (or use).

The tech types like the advances in technology that came along. Faster and cheaper modems and processors, high speed access, etc. They often ignore the fact that these advances are the result of the opening of computing, and especially the Internet, to a mass market audience. That audience made the research to provide these things economically feasible.

The Internet is following the path of evolution that every successful society has followed. Throughout history, no society has ever survived by staying in the pioneer stage.

The ranks of anti-spammers contain relatively few people skilled in mass communication, so they're trying to win with the only law that's universal online:

Code.

Sorry, boys. That won't work unless the mass market wants it to. There's a whole generation of geeks coming up that don't have the same biases you do.

They've seen the world, and they want more.

Note: In this article, the term "geek" simply means someone with advanced technical skills and a bias toward focusing on technology. It has no intended negative connotations.




The anti-spammers often treat this as a battle between geeks and marketers.

That's foolishness. And surprising, considering the intelligence of most of the true geeks that make up the old guard. These are generally very bright, very sensible folks.

Some things for the folks in the anti-spam ranks to consider:

  • Marketers didn't lead the "invasion." They followed it.

  • Marketers didn't cause the "Endless September," but they can help you end it, if you let them. And maybe even if you don't. There's money in teaching people, after all.

  • Marketers, as a group, are not the enemy.

    Marketers are your last, best hope of teaching the public the true nature of spam before the world's governments take away any choice in the matter. Leave it to the legislatures, and you're going to have much bigger problems than you have now.

  • Marketers know how to reach the millions of people that need to be educated to solve this problem, and how to communicate the issues in a way that the non-geek population will understand and embrace.

    You don't.




The marketers make the same mistake. In some ways, this isn't surprising. The anti-spammers seem ready to take down any marketer, at any time, assuming we're all going to turn spammer at the first hint that there's a buck in it.

Of course, the marketers, not having a useful definition for spam, and seeing the abuses caused by the kooks, are ready to assume that everyone who opposes spam also opposes commerce.

WRONG!

Many of the most prominent anti-spam types are also pretty fair marketers.

Some things for you marketers to consider:

  • The majority of anti-spam folks are sensible, sane, and reasonable people. You don't hear them well over the noise the kooks cause, but they really are.

  • The anti-spam folks have the technical know-how, the experience, and the inside connections at many service providers to help them handle your mail properly.

  • The anti-spam folks want an end to the war, same as you. They just want the right to be left alone, same as everyone else.

  • The anti-spam folks can help you to deal with the medium in ways that will keep you on the good side of your customers and the service providers they use. They understand the technical issues in ways that are very important to your success.

    You don't.


The Real Conflict


This whole situation is dumb, if only because it takes attention away from the real conflict:

Spammers vs everyone else.


The spammers want to use everyone else's resources for their own purposes, without paying for them. They shift the cost of their advertising onto the ISPs, the web hosts, the end users, and everyone who uses the Net responsibly in any way.

They scream "free speech," while forcing unwilling others to subsidise their advertising, to the tune of billions of dollars a year.

Sorry, SpamBoy. The term "free speech" does not mean "You get to talk and we have to pay to listen."




There are three main Villains in this war:

  1. The spammers.
  2. The hosts who profit from them.
  3. The people who buy from them.

The first is often confused. Here's the definition I'm using for spam in this series:

Bulk email knowingly sent to people who didn't ask for it.

Simple, no?

I don't care if you're a major bank or a minor bunco artist. If you knowingly send bulk email to people who didn't ask for it, knowing what they were going to get when they asked, you're a spammer.

You're using my resources, at my expense, without my permission. Ergo...

Spam, and you're a thief.




If you are a host that knowingly provides service to a spammer - any spammer - you're feeding the parasite that will eventually kill you.

How smart is that?

You're also helping to shift the costs of delivering the spam, as well as the costs of any attempts to stop it, onto your neighbors on the net.

You too are a thief.




Spammers exist because people buy from them.

It typically takes from 1,000 to 10,000 spams to make one sale. If you buy from a spammer, you are PERSONALLY responsible for the next 1,000 to 10,000 spams sent.

Including the porn spam sent to your kids.




Yeah, I know. I'm gonna hear it, so I may as well answer it now:

"Not all spammers are selling porn or illegal drugs. Some sell innocuous stuff like phone services and web hosting and other (seemingly) legit products."

Spamming is an industry, and it exists because there are people who support it. These people buy, sell and trade lists, and they spam multiple products. If you buy from a spammer, you increase the likelihood that the list you're on will be sold even more widely, to anyone with the money to buy it or a list to trade for it.

You're encouraging them all.

If you buy from a spammer, don't complain when your kids open their email to graphic displays of bestiality or rape fantasies. You asked for it.




Let's get this straight right up front. The problem with spam is NOT the content. The content is irrelevant. The problem with spam is that it will, if allowed at all, destroy email as a medium for communication.

Not might. Will.

It's happening already.




Spam has doubled in recent months, and continues to grow. A recent Ferris Research study shows that the average cost of spam, just in the time spent deleting it, is $200 per year.

Per mailbox.

Lessee... One for you, one for the better half, and one for Junior. Since those are personal mailboxes, you probably only get half the average. Say, $300 a year right now. (Going up to $600 in a year or so.)

You're paying the spammers more than you pay your ISP.

Ain't that lovely?




Suppose you're in business. Further suppose you have, say four different mailboxes for different purposes. (I have a lot more than that.) You probably get twice the average per mailbox, so call it... hmmm...

$1600 a year. And growing.

That assumes the hourly rate is the same for everyone, of course. I suspect that spam costs most business people much more than that in terms of lost productivity.

Pretty expensive for "free speech," huh?


How Many People Does It Take To
Screw Up An Email System?


Recognising the major players is easy. Let's look at some of the other participants, and how they complicate matters.

BLACKLISTS: A major factor. These come in a variety of flavors, but they all share one thing in common - if your ISP uses them, mail from systems on those lists can't get through to your mailbox. (Many service providers use more than one of these lists.)

Questions: Are the lists all objective? Do they clearly define the standard for getting on the list, or the procedures for getting off of it? Is the management and staff of the list even-handed and fair?

Answer: Not usually.

I know of one large company that got on one of the big blacklists simply because the owner didn't jump fast enough to shut down an affiliate who was accused of spamming. The person handling the case for the blacklist said, basically, "Do it because I said so and I have my finger on the trigger."

The maintainer of another of the more well known lists used to frequently add systems to his list for personal disagreements.

Others simply have such nebulous criteria for inclusion that they're nearly useless. Still, people use them.

And then, joyously, there's the problem of aging of entries. I switched hosts once and discovered that the IP address I was on with the new host was blocked in the local blacklist of a large ISP. ("Local" means the list the ISP maintains on their own, in addition to any outside lists they might use.)

Well, ain't that lovely?

If I wasn't manually examining each bounce message, all 1250+ subscribers at that system would have been gone, with no explanation or recourse. As it was, the admin who eventually removed me threatened to sue me if he saw anything that "even looks like spam" coming from my system. ("Looks like." Based on... ?)

Local lists are a huge part of the problem. They're very easy to get onto (one forgetful subscriber or vengeful prankster is usually enough) and very hard to get removed from.

Take all these lists, used in various combinations and with differing standards, and spread their influence across the net.

Major fractures showing already.

Next, we look at...




SYSTEM ADMINISTRATORS: These are the folks who hook all this stuff up and make things run. For the most part they're doing the best they can, but they're almost invariably underpaid and overloaded. If they fat-finger one setting, lots of stuff can go majorly wrong.

In most cases, legitimate error is the worst thing you have to worry about with sysadmins. They're mostly extremely conscientious people. Mostly.

Little things like human prejudices do come into play here from time to time. One of the folks defending content filters in general (and Spam Assassin in specific) told me that tools like SA were the best way to get rid of all the "porno smut that's ruining the net."

He was pretty clear that he wasn't just talking porn spam. He was talking about all of it. Requested or not.

Excuse me, but I'm 43 years old, single, and don't let people's kids play with my computers. If I want to pay someone to send me "porno smut," it's none of anyone else's business. (I don't, but that's not anyone else's business either.)

I wonder what else he considers it his "moral obligation" to protect me from?

Another of these fine folk informs me that Spam Assassin shows NO false positives on the 5,000 to 7,500 spams delivered to his system (an ISP) every day.

Ya know... I have some real doubts about that. Even the people who work in developing SA don't make such amazing claims for its accuracy... Ya think he might be fibbin', just a bit?

Or is it possible that his idea of spam is content based, rather than permission based? Maybe he'd think this newsletter was spam, if he didn't like what it had to say?

These are the folks controlling those nifty content filters, boys and girls. If you don't think their personal prejudices can occasionally creep in and influence how they adjust the settings for what gets through, you don't know much about human nature.

It ain't just porn that people filter, you know. (Remember our last Presidential election?)

Even the most fair-minded and balanced person can be swayed this way without intending to be. Especially when they're working with virtual anonymity. Could you PROVE they were enforcing a personal preference, rather than trying to "fine tune" the filters, if you even noticed the changes?




THE BACKBONES: These are the companies that own the cables, routers and other equipment that connects all the various service providers. The Internet equivalent of the old Ma Bell.

They play some interesting roles. First, they put enormous pressure on small service providers to handle spam complaints, often without any regard for whether there's a legitimate basis for the complaint.

Of course, these pressure tactics are reserved for the small operator. There are backbones who, as you read this, are playing "safe haven" for any spammer who can play by their rules. The rules are simple:

  1. You send one opt-out message allowing the people who own the addresses you scraped to unsubscribe.

  2. You pay them $50,000 a week for complete immunity from being shut down.

The first rule describes what's called a "permission pass." Those are the messages that say things like "You're receiving this because you signed up at our web site or with one of our marketing partners. If you don't wish to receive these offers, unsubscribe."

Yeah. My autoresponders, list servers and role addresses all went and signed up at these unnamed sites for stuff I personally have no interest in whatever. Right.

I've never seen one of those emails yet that wasn't a lie.

Interestingly, there are some MAJOR companies using the services of these spammers. Take a look at the ones you get like this, and who they're advertising for. It's quite an eye opener. (Why yes, there ARE major banks among them. How did you guess?)

The backbones involved are knowingly passing the costs of this truly massive amount of spam on to their customers. They charge the spammers for the right to send it, and then charge the service providers for the bandwidth needed to deliver it.

What a racket, huh?

The service providers then have to find a way to deal with the costs of processing all this spam.

Of course, all that money comes from you in the end.

Oh well. Why worry?

Other than refusing to buy from spammers, there isn't a damned thing you can do about it anyway.




THE DIRECT MARKETING ASSOCIATION (DMA): Headed up by one Bob Wientzen, and lovingly known as "Bob's Big Boys," this is one of the most powerful lobbies for big business in the United States.

The Spamhaus Project calls the DMA "The Direct Spamming Asociation." The DMA publicly endorses spam as "freedom of commercial speech," and considers it a legitimate marketing tool.

The DMA is on record as promoting "opt out." The idea here is that anyone can sign you up for as many lists as they want, and you have to unsubscribe from each of those lists individually.

Well... not quite anyone, it seems.

I'm hearing stuff about the DMA offering deals to ISPs that you might find interesting. The report is that they (or their members) will pay the ISPs to deliver THEIR spam, (anyone remember Walt Rines?), but only if the ISPs filter out or block OTHER spam.

You know. Those nasty porn spammers, scammers, cell phone salespeople, web hosts and the like. And I'm sure it wouldn't break their hearts if your business newsletter got caught in the filters. Less competition for their members, eh?

Wouldn't Spam Assassin be a lovely tool for enforcing this scheme? Tweak the filters, add the DMA members to the whitelists, and voila!

How do you folks who are developing Spam Assassin feel about your baby being used like this?

Still think content filtering is to be trusted, folks?

By the way, the DMA has aggressively resisted any form of domain-wide opt-out. So, if they get their way, you'll have to unsubscribe every one of your autoresponders, role addresses, list server and personal addresses from every list one of their members decides to add you to. Individually.

Doncha just love these "guardians of free enterprise"?

Newsflash, Bob: The problem isn't the content. It's the delivery method. Make this scheme work, and you're just dropping your members into the sewer with the rest of the spammers we all love to hate.

And they have a lot more to lose than the "REAL spammers" you keep referring to.

Anyone want to tell Bob what you think of his group's position on spam? Email him.

Be polite, please. Screaming will just get you ignored as a kook. And it's not a businesslike way to address someone, even if he is the President of a group that's saying it's okay for their members to steal from you.

Oh. Excuse me. They probably won't like that choice of words. Let's put it another way...

They're saying it's okay for their members to commandeer your resources and time, and the money they both represent, without your permission; and despite the fact that most of you have made it clear you don't want them to. In fact, they refuse to let you tell them you don't want them to, until after the fact, and one address at a time.

They're saying, functionally, that their members have more rights to your email system than you do.

I don't see an ethical difference between the two descriptions, but I'm sure the DMA would prefer not to be on record as promoting theft in quite such blunt terms.




THE POLITICIANS: They have the same problem the DMA has. They'd love to be able to send out massive amounts of spam at voting time, but they'd be classified right there with the porno peddlers and pill pushers. Not the image they want to portray, huh?

So, how do they deal with this?

Well, buying into the DMA's position would work, for one. Or so they think. For some reason, these Clueless Wonders think that we're going to like them more if they help Big Business ruin our mailboxes, rather than cell phone salespeople and web hosts.

The currently fashionable answer is to support only laws against UCE (unsolicited commercial email), despite the fact that UCE is not precisely the problem. This exempts political and religious spam (First Amendment problems) and ignores the bulk aspect.

In the process, it creates problems for people who send one-sender to one-recipient business emails that weren't solicited. There are a lot of legitimate reasons for that kind of 1:1 email. And it doesn't pose a threat to the email system's survival.

If they really want to make a difference, they can. I'll have some suggestions in the next issue that will help, and that WON'T interfere with the rights of legitimate email users at all. (Bonus points for any suggestions which fit that description that I haven't thought of yet. ;)




ANTI-SPAM TOOLS: Ranging from web-based services like SpamCop to desktop software like SpamKiller, these tools aim to make it easy for the average netizen to report spam.

"Aim" being the operative word.

These tools have a number of problems, nearly all of them between the chair and the keyboard. Reporting spam without adding to the problem requires that you understand a bit about how email works.

Most people don't.

The biggest problem is the tendency of inexperienced people to report spam to every address and provider mentioned in the body or headers of the message. This wastes a whole lot of time on the part of service providers that had nothing more to do with the spam than being between you and the spammer.

The users mean well, but don't understand what they're doing. If you don't know what you're doing, you can end up reporting yourself to your own ISP. (Yes, it HAS happened.)

SpamKiller allows for automatic reporting based on the filters that come built in to the program, and others that you can add yourself. Great, news, huh? Now you can not only lose mail because of these silly systems, but you can report your friends as spammers as well!

I mentioned what I think are the biggest problems with SpamCop in the last issue. Julian Haight, the operator of the service, is a nice human being, but his sense of justice seems seriously affected by his zeal. He operates under the presumption of guilt, defining spam as "whatever the user says it is." He also allows people to make anonymous complaints.

This combination is unjust in the extreme. My recommendation on it is simple: If you discover that a service provider accepts a single anonymous complaint as any basis for action at all, boycott them and recommend that your friends do as well. Better yet, lobby them to drop SpamCop complaints into the bit bucket. It's a favorite tool for people who want to anonymously harass others with fake complaints.

With all this shooting going on, is it any wonder half the net has no clue and the other half has no brains? Why are we surprised that our email system feels like a war zone?


What's In A Word?


This only happens because there's no objective definition of the word "spam." Every service provider has a slightly (or wildly) different definition, and trying to understand them is often pointless.

Many people flatly refuse to define what they mean by the word, because they fear that spammers will try to find ways around their definitions. This is ridiculous. It comes from failing to understand the basic function of words: Communication.

Not obfuscation. Not "covering our asses legally." Not "making sure we stay in control."

What follows is an attempt to help service providers deal with their customers who are NOT professional, relay-raping, credit card stealing, throw-away dialup, full-scale whackamole spammers. That will require much broader action.

Words are only useful if they have clear and commonly understood meanings. We need one for spam.

Of course, I'm about to suggest one. And I'm going to do it in a way that leaves all you service providers the "out" that you genuinely need to avoid abuse of your email systems.

Just as granite is a subset of the general category "Rocks," spam is a subset of the general category "Abuse."

I propose that we use the following definition for "spamming":

Knowingly sending unsolicited bulk email.

Unsolicited is easy: If someone asks for the mail, knowing what they'll get at the time they ask for it, it's solicited. Otherwise, it's not.

Email is obvious.

Defining bulk is up to the individual provider. Given the amount of mail that's needed to generate a single order, I'd think any number from 50 per day to 2000 per month would work nicely. This leaves plenty of room for small BCC lists to family, friends and associates, without enough bulk for spammers to make any money.

Pick your Spam Threshold and announce it. Voila - Instant objective standard. You can fine tune it as you learn more about what really does and does not create problems.

Define the rest of the actions you want your customers to avoid under the general category of "Abuse." If you want to add a clause that ALSO forbids the sending of unsolicited commercial email to more than 5 people per day, go for it. (They're your servers, after all.) Just call it UCE, and not spam.

Heck, make a rule that says you can't start more than two sentences in a row with vowels if you like. Just include it in the TOS, and don't call breaking that rule "spamming."

I'm not trying to tell you how to run your business. I'm just trying to put a little sanity back in the handling of email abuse.

This may seem like a trivial matter, but it solves a lot of problems. The main one is that, by giving an objective meaning to the word, it defuses a lot of the emotional and irrational extremism on both sides of the fence.

That will allow you to do your job in a much more sane environment, and without feeling you have to pay attention to foolish arguments from kooks.

Another is that it brings to a dead stop the use of the word "spam" as a club for revenge or extortion.

A third is that it clears the way for more rational definitions of other forms of abuse, including those that must, as some always will, require judgment calls by abuse personnel.

Yet a fourth is that, by requiring that the person requesting the email be told what they're getting at the time of the request, marketers are forced to be more specific about their use of email addresses trusted to them. This will make things clearer for everyone involved, and prevent a lot of the complaints that arise from consumer confusion or incomplete/unclear disclosure by marketers.

There are others, but I believe these represent the vast majority of the cases that such a definition would help to solve.




The one exception I would suggest is that individuals and companies be allowed to send commercial email to their paying customers. (Not just people who've asked for one-shot information, like an autoresponder, but actual cash paying customers.)

Like any bulk mail, these emails should include a way to unsubscribe. If specific unsubscribe instructions are not included, a simple request to either the From or Reply-To address should enable them to stop the mailings.

The reasons for this are simple:

  1. It's generally assumed that people you buy things from are going to contact you about those things, as well as about other product offerings. The mail could arguably be considered solicited by a reasonable person.

  2. There aren't enough companies that any one individual does business with to ruin their use of email under normal circumstances. (See point 4 for the unusual circumstances.)

  3. There are serious legal issues that might make interfering with communications between those with an established business relationship dangerous.

  4. If the company abuses the privilege, they're going to lose the customer. Thus, there's a built-in penalty for it, and an incentive to keep those communications in the best interests of the customer. As long as the unsubscribe option works, it's a self-policing situation.




Yes, there are reasonable people who will disagree with these suggestions. We're not ever going to get everyone to agree, so we need to come to a useful working consensus.

I believe these guidelines form a useful basis for an objective set of definitions, and could be the beginning of the end for the chaos that hounds small businesses, consumers, and service providers alike on this issue.

We have to do something about this craziness, and I'd much rather see it be handled by net.users than by legislators. We have some clue what we're doing.

Generally speaking, they don't.


As always, your comments, critiques and suggestions are welcome.


Paul
paul@talkbiz.com





To subscribe to TalkBiz News, enter your email address in the box below, and click "Subscribe Me!" (Please use either your ISP based address or an address at your own domain.)



Please note: You will be required to confirm your subscription. Watch for the email on that within a few minutes after you subscribe.

Copyright 2002, Paul Myers and TalkBiz News