The spam wars part 2 — new challenges for email users

The strong medicines used to combat spam and other online abuse have significant side effects, such as the growing difficulty companies are having getting through spam filters and getting their messages out

By Jacob Stoller

Nobody wants to be mistaken for a spammer these days — the term implies association with shady stock promoters, purveyors of counterfeit products, identity thieves, and other Internet “bad guys.” Unfortunately, the automated filters that guard today’s corporate networks put the dreaded spam label on billions of legitimate emails every day. This poses a growing challenge for organizations that use email to keep in touch with their customers and business partners. 

Caught in the Web

Many organizations who have done a good job filtering spam out of their networks have given little thought to the fate of their own missives. “It’s actually an interesting discussion to have with people,” says Brian Bourne, president of CMS Consulting, and a co-founder of security user group the Toronto Area Security Klatch (TASK), “because people always talk about the cleansing spam solution, but so many people are getting caught now in spam filters. And as an organization, assuming you’re sending solicited mail that’s legal stuff, you want to make sure it gets through to the people you need to communicate with.”

The problem has become somewhat elusive due to current filtering practices.  In the past, an email sender could gauge how well messages were getting through by monitoring non-delivery reports (NDRs) — server-generated return emails informing the sender that the message was rejected. Today, fewer and fewer organizations are sending NDRs, partly because of sheer volume — companies sending out NDRs have to send out millions and millions of them at a significant cost — and partly because NDRs reveal information that can be used by spammers.

This means that an email sender can send out, for example, a client newsletter, and not know how many customers are receiving it. Or even worse, an important notification sent  to a customer could be rejected by a spam filter without any knowledge. 

Even when the sender knows messages are being rejected, the cause may not be obvious — filters today make their determinations based on multiple criteria. “They all work on a scoring system,” explains Bourne, “so, you want to do everything you can when you send those communications to keep your score low.”

Obstacles for both parties

Rejection of legitimate email is not only a problem for the sender but for the intended receiver. “This is an area,” explains Doug Bowers,  senior director of anti-abuse engineering at Symantec Corporation, “where the sender community and the mail security community are constantly having a dialogue to try and figure out ‘how can we best reach the right understanding so that legitimate senders who are following all the right rules are able to get their mail delivered and not get caught in the same filters that are blocking the people that are really spamming.’ ”

One of the leading proponents of this dialogue, according to Bowers, is the Messaging Anti-Abuse Working Group (MAAWG), a global industry-sponsored association dedicated to preventing various forms of messaging abuse. In a report entitled MAAWG Sender Best Communications Practices, the association outlines key recommendations for email senders which are beneficial from two perspectives: the prevention of offensive practices, and the encouragement of behaviours that allow senders of legitimate email to distinguish themselves from email abusers. The report is available at the organization’s website at www.maawg.org.

Many of the report’s recommendations urge senders to assiduously avoid any kind of sending practice that could be interpreted as intrusive, coercive or deceptive. Central to this is the concept of permission — any newsletter or other mass communication should only be sent to people who actively opt in. The opt-in process should make it completely clear what a recipient will be receiving, and how often he or she will be receiving it.  There can be no trickery or deception involved here. If the recipient’s email address is to be used for any other purpose, this needs to be clearly specified.

The concept of permission is reinforced by allowing recipients to easily and instantly opt out of any mailing that is sent on a regular basis. For starters, every newsletter should have a one-click “unsubscribe” button. To make the process easier, there should be several ways for a recipient to opt out, and multiple channels for handling complaints so that they can be received by email, over the Web, and offline. As well, organizations are encouraged to adhere to industry standards for unsubscribe notifications.

Transparency is another concept that pervades the report. Essentially, communications need to be clear not only in their content, but in who they are coming from. For example, the “From” and “Reply to” fields in an email need to match. Another recommendation is that emails should be sent from a fixed IP address — a step that some smaller businesses may not have taken. Another small business practice that is not recommended is when an email user sends a message to his/her own email address and blind copies to a list of recipients.

Following the rules

Transparency also involves acquiring what has become known as an internet reputation — the compliance with a number of practices that affirm that the sender is part of a community of responsible senders. To establish this, organizations need to learn to play by the myriad rules that govern the world of email servers. This means becoming familiar with the authentication processes of not only the Internet service provider (ISP), but those of all of the ISPs that messages are likely to encounter. This is a highly technical matter which requires expertise that goes beyond most IT departments. Organizations that send out a significant number of newsletters of customer announcements will likely need to retain outside help in this area.

The report also urges senders to manage their mailing practices in order to minimize the number of messages sent to unintended or nonexistent recipients. This means that email lists need to be “scrubbed” on a regular basis to remove the addresses of employees who have left their company or opted out, or erroneous addressees. Companies also need to have measures in place to immediately correct sending errors when they occur. Like establishing and maintaining a positive Internet reputation, this may require significant resources.

The bottom line is that fighting spam is a partnership between legitimate senders and legitimate receivers of email. As the spam wars escalate — and all indications are that they will — there will be a growing need for senders to buy into this partnership, and to obey the rules therein. Attitudes are already changing — even the mildly manipulative practice of sending out an invitation to receive a newsletter with a pre-checked box that says “yes” is no longer considered acceptable. The emerging reality is that organizations that want to avoid looking like spammers will have to do everything in their power to avoid acting like spammers.      

Jacob Stoller (jacob@stollerstrategies.com) is a Toronto-based independent writer and researcher.  

Top