Spam Slayer: Collateral Damage

SAN FRANCISCO (09/16/2003) - This new weekly online column chronicles the spam wars and offers advice. Send your spam gripes and questions to spamwatch@pcworld.com. Our inaugural writer is frequent spam-beat reporter Daniel Tynan; later this month Tom Spring will take the column's helm. As always, your comments and suggestions are welcome. Return to the SpamWatch page for more articles.

Sometimes lost in the clamor about spam is the wailing of innocent victims--legitimate e-mailer services whose messages are mistaken for spam by ISPs. A recent study by Denver e-marketing firm Return Path Inc. claims that one in five "permissioned" messages (that is, those requested by the recipients) gets blocked before it reaches an in-box.

Some victims are doing more than just complain. CI Host, a Texas-based hosting service, has sued America Online Inc. for US$10 million, claiming AOL is illegally blocking incoming mail sent by many of the firm's 200,000 customers.

AOL misidentified mail sent from CI Host's customers as coming from open relays, which are insecure computers that are often used to obscure the true source of spam, says Chris Faulkner, CI Host's chief executive officer (CEO). AOL spokesperson Nicholas Graham says the allegations made in the lawsuit "are wholly without merit," and that AOL's e-mail policies permit it to block e-mail from sources it cannot identify.

"Are mistakes made from time to time?" Graham asks. "Absolutely. When you handle 3 billion e-mails a day, a limited number of legitimate e-mails can get blocked. Our members don't expect perfection, but they do expect us to protect them from offensive or annoying e-mail."

Are You on the List?

The greatest gnashing of teeth concerns so-called blocklists (also sometimes called blackhole lists) of alleged spammers--in particular, the one maintained by the Spam Early Warning Prevention System (SPEWS). Among other things, SPEWS lists a large range of IP addresses--including those used by many nonspamming customers--to force ISPs to boot suspected bulk mailers from their networks.

Worse, no one knows who or where SPEWS is, and the only way to get off the list is to post a request in an antispam newsgroup and hope the SPEWS originator reads it. I spoke with one e-mail service provider whose company sends permission-based newsletters on behalf of Fortune 500 companies; his firm has been on the SPEWS list for two years.

"There's nothing wrong with the concept of blackhole listing," says the executive, who asks to remain nameless. "The problem with SPEWS is that it's a vigilante organization. Just because someone could potentially abuse our service to send spam, we're on their list, period."

Not all blocklists are as draconian as SPEWS. But not all "opt-in" e-mail lists are what they claim to be, either. The e-mail exec admits that his firm got blacklisted after using a mailing list that a client claimed was permission-based but really wasn't. His firm stopped using the list once the mistake was caught, but it was too late.

CI Host's Faulkner says his firm uses the SpamCop blocklist to monitor customers' outgoing e-mail. If SpamCop reports a spam outbreak coming from any CI Host site, the customer's e-mail service is turned off. Even so, he admits it's impossible to keep any network completely free from spammers. "There will always be people trying to break the rules," Faulkner says.

Can you tell the difference among a spammer, a spam-friendly host, and another innocent victim caught in the crossfire? The lines are anything but clear.

Spam Q&A

Question: I occasionally send e-mail to the Contact Us links on the sites of prospective customers. My product is legitimate, and I don't send thousands of messages at a time or falsify my return address. Am I sending spam?

--Daniel G.

Answer: Well, that depends on how you define spam. The most common definition is that it is unsolicited commercial e-mail; if you're trying to sell something via e-mail to people you don't already know, and they didn't ask you to contact them, then technically you've sent spam. Some people define it as unsolicited bulk e-mail, which also includes noncommercial mail--such as political or religious messages--sent in volume. The Direct Marketing Association and many electronic marketers define spam as e-mail that's deliberately deceptive or uses techniques such as hijacked mail servers to hide its source. Unfortunately, most federal laws under consideration embrace the last definition; antispam activists fear any legislation based solely on fraud will open user in-boxes to a flood of "legitimate" junk e-mail.

Question: How do spammers make money from bulk e-mail? Is someone paying them to send it? Or are they hoping you will respond to some of their e-mail with personal financial information they can steal or exploit?

--Richard Y.

Answer: How about both? In most cases, spammers are contracted by advertisers looking to sell a product or drive traffic to a Web site. The advertiser pays the spammer a percentage based on how many people click through to the site and/or buy a product. Because of the relatively low cost involved in sending millions of e-mail messages, only 1 person in 10,000 needs to respond to make the operation profitable for both spammer and advertiser. But this is probably not the case when it comes to scam e-mail. Notorious examples include the Nigerian 419 con, in which a deposed foreign dictator supposedly wants to give you $30 million; or "phisher" e-mail messages that pretend to be from your bank and ask for your credit card numbers. In these cases, the organization sending the e-mail is likely also the one trying to steal your money or your identity.

Question: Lately I've had people tell me they aren't getting my e-mail. How do I find out if my mail is being blocked by their ISP?

--Greg D.

Answer: Usually if your e-mail is blocked you'll get a bounce notification from the mail server that blocked you, along with a '550 Access Denied' error message. Depending on the ISP, the notice might contain a link to a Web site with more information, a phone number to call, or the name of the blocklist you're on. Your first step is to contact your ISP: It may be able to find out if your IP address is being blocked and to get the block removed. (Don't count on it, though.) In other cases, however, the blocked mail gets discarded without any notice, and you may never find out.

Have a spam-related question or problem? Send it to spamwatch@pcworld.com.

Join the newsletter!

Error: Please check your email address.

More about America OnlineAOLCI HostDirect Marketing AssociationSpamCopVigilante

Show Comments
[]