Heroes Happen Here Launch Events Attend the upcoming launch of three powerful new products, take a test drive, meet the teams, and leave with promotional copies of Windows Server 2008, Microsoft SQL Server 2008, and Microsoft Visual Studio 2008. Register here. »   Install What You Need with Windows Server 2008 Windows Server 2008 is Microsoft's most full-featured server operating system yet, so it's ironic that one of its most exciting new features is an install option that cuts out most of the other features. Paul Rubens explores why a Server Core installation makes a great deal of sense in many instances. »   Simplify Big Business IT for Small and Midsize Companies Windows Small Business Server 2008 and Windows Essential Business Server 2008 deliver all-in-one solutions to help fuel growth for customers and partners. »   Q&A with Bob Muglia: Senior VP, Server and Tools Division Bob Muglia, senior vice president, Server and Tools Division, discusses Microsoft's new interoperability principles and the steps the company is taking to increase the openness of its products. »   Q&A with Lutz Ziob, GM of Microsoft Learning Lutz Ziob, the general manager of Microsoft Learning, talks about how IT professionals can become certified heroes within their enterprises by getting trained and certified in Windows Server 2008. »

Related Articles •Has Julian Haight Gone Straight? •Whitelists Battle for Market Share •Proposals Offer Small Steps to Stop Spam

- ITSMWatch Newsletter -

Tech Focus: Security Cybersecurity: Laws Only Go So Far Mozilla Firefox vs. Internet Explorer: Which is Safer? Is Your Blog Leaking Trade Secrets? The Las Vegas Counterfeiting Story: Is Your Privacy Worth More Than a Poker Chip? Stopping Spammers at The Point of Sale

Product Watch •IOGEAR KVM - Includes Audio/Peripheral Sharing •Coverity Prevent / Coverity Thread Analyzer - Analyze Source Code For Defects, Security Vulnerabilities •USSD Series - SDRAM-Based Solid State Drives to 256 GB •UltraSMS - Send SMS From Your PC •Sentinel Sensors - Wi-Fi Based Temperature Monitoring Especially For Cold Storage more products >>

Datamation Definitions data mining ERP extranet grid computing intranet network appliance outsourcing storage VPN virus

FREE Tech Newsletters Instant Messaging Planet HTML CIO Update CodeGuru Update Practically Networked HTML Enterprise Storage Forum HTML Optically Networked HTML Intranet Journal Update Datamation IT Management Careers Datamation IT Management Update Executive Tech HTML Developer.com Update Gamelan Java Update Goodies to Go Javascript Weekly HTML JARS Java Update OpenSource Update SysOpt Tech Notes Grid Computing Planet HTML E-Security Planet HTML Virtual Dr. Text

Tips for Operating System Deployments. Listen to an audio cast about operating system deployment.

Don't Get Killed by 'Spam Trap Poisoning'
June 22, 2004
By Brian Livingston

If your company sends out an e-mail newsletter to customers, you may find yourself suffering from a new problem I call "spam trap poisoning."

Spam traps are e-mail addresses that antispam groups post on the Web but don't use for sending e-mail. Instead, these addresses lie in wait until they're found by "harvester" programs. These harvesters are key tools for spammers: they scan millions of Web pages, scooping up every e-mail address that's visible.

If a spam trap receives any e-mail, therefore, antispam groups assume the message must be spam. This can automatically put the IP address on a "blocklist" that keeps the sender's messages from getting through to some mail servers.

Unfortunately, spam traps are starting to bite legitimate businesses. I'll explain how and what you can do about it.

How Spammers Can Poison Spam Traps

I discussed spam trap poisoning with Julian Haight, the director of a controversial blocklist called SpamCop.net. In an interview, which formed the basis for my column last week on SpamCop, Haight said he's reduced his reliance on human spam complainers and has dramatically increased his use of spam traps. "80 to 90 percent" of the reports he receives are now generated by such bots, he explains.

Spammers, however, are learning how to discover which e-mail addresses are spam traps. How can this injure your company's reputation and e-mail deliverability?

• Spam Traps Lead To Swift Blocklisting. Because spam-trap addresses can react immediately to any e-mail they receive, as little as a single message can add a sender to a blocklist within minutes. Spammers don't much care about one individual source of spam being blocked, of course. The top professionals in the spam business use a massive network of hundreds of thousands of PCs they've infected with Trojan horse programs that actually send the spam. Some infected PCs may be blocked, but spammers have many others that aren't.

• A Process of Elimination. Because the biggest pros send millions of junk e-mails a day, they can segment their lists and send messages through different computers to try to identify spam traps. If one sender was added to a particular blocklist at 10:00 a.m., for example, it was probably due to a spam-trap address that received a piece of spam after 9:30 that same morning.

• Poisoning the Spam Traps and Your Company's Good Name. By watching mailings that are sent out on subsequent days, spammers can soon isolate a few addresses that are almost certainly spam traps. The spammers then sign those addresses up for legitimate e-mail newsletters to ruin the effectiveness of the spam traps. Now the addresses are receiving legitimate e-mail, not just spam.

• Reliance on Spam Traps Backfires on Blocklists. To best "poison" the spam traps, spammers use the newsletters of the most respectable companies possible. When mail servers that use blocklists start to reject mail from these large, respected brand names, the blocking services lose credibility. Many end users had wanted to receive those company's mailings and blame the blocklists for being wildly inaccurate.

If your company's newsletter is used in these exploits, the pain can be severe. Your routine e-mail messages can suddenly start to bounce — or simply disappear, deleted forever by mail servers that blindly relied on the blocklists.

Choose One: A Terrible Problem or a Horrible Problem

Haight is adamant that companies can avoid damage to their reputations by requiring all newsletter subscribers to "double opt-in" as opposed to "single opt-in." He also considers double opt-in to be a requirement because it prevents one person from signing up another person's e-mail address to an unwanted list.

Let's take a closer look at what single and double opt-in mean:

• Single Opt-In. A single opt-in newsletter allow customers to sign up by entering their e-mail address in a Web form and clicking "Subscribe." The publisher usually sends an immediate message welcoming subscribers and telling them how to unsubscribe if a mistake has been made.

• Double Opt-In. This method, also called "confirmed opt-in" or "verified opt-in," doesn't initially send any newsletter to customers who subscribe. Instead, the subscribers receive a message saying they must "verify" their e-mail address. The message usually instructs the recipient to click a hyperlink or generate some kind of e-mail response.

There's a big problem with double opt-in, however. The newsletters of most Fortune 500 companies don't require it, because a huge number of customers simply don't understand why they have to verify their address — "I just gave it to you, it's valid, you idiots." Other consumers don't respond because they've been told never to follow any instructions that an e-mail requests, as a precaution against "phishing."

"I've seen the rate as low as 40% confirmation," says Paul Myers, publisher and editor of TalkBiz News, a newsletter for business owners. His own publication, which uses double opt-in, has a very targeted audience and gets almost 100% confirmation, he says. But he doesn't believe double opt-in should be a requirement for every company. "There shouldn't be any reason why people miss the mail they want because they didn't understand the confirmation process — or that one was required."

The Battle Over Opting-In

Anne Mitchell is CEO of ISIPP (the Institute for Spam and Internet Public Policy), a whitelist organization that works with Internet service providers and spam filtering companies. "The push for double opt-in was really by the antispammers, not the ISPs," she says. "They [the ISPs] don't care how you build your list, as long as you don't send spam."

ISIPP maintains online scoring systems that are used by SpamBouncer and other antispam filters. One ISIPP scoring formula for trusted senders gives a maximum of 90 points to those who require double opt-in. But single opt-in newsletters can still achieve 80 points. The difference is small — because single opt-in newsletters aren't spam.

As far as the percentage of cases in which one person is subscribed by another person to a single opt-in newsletter, the number is "miniscule," Mitchell says.

How Many Mistakes Are Made, and Who Makes Them?

AWeber Communications is one of the world's largest e-mail service providers. Literally thousands of different customers use the firm's technology to send opt-in e-mail newsletters, according to company CEO Tom Kulzer.

AWeber requires the double opt-in method for new subscribers to get its own newsletter, Kulzer says. But his firm allows its individual publishers to choose to use either double opt-in or single opt-in. "More of our customers use single opt-in, fewer use double opt-in," he explained in a telephone interview.

Confirmation rates for the double opt-in newsletters he's monitored range from "nearly 100%" to "as low as 20%." Meanwhile, cases in which an innocent person has been signed up to a single opt-in newsletter without consent are very rare, in his experience. "We see that maybe once a month," Kulzer says.

"Usually the only time we see problems with somebody maliciously typing in someone else's address is vehement antispammers who are signing people up to a list," he continues. "When we track that down, the newsletter's been sent to a 'postmaster' account that only these [extreme] antispammers would know about."

Conclusion

You're caught between two awful choices. If you require a double opt-in policy for people to subscribe to your company's newsletter, you may lose half of more of the people who want to sign up for it. That's bad customer service. On the other hand, if you use single opt-in, as most companies do, anyone can add spam-trap addresses to your database of subscribers. Your company could suffer e-mail deliverability problems for days after every issue of your publication goes out — activating the blocklists each time.

The answer is to carefully monitor which blocklists point to or don't point to the IP addresses that your company uses to send mail. OpenRBL.org is one free service that allows you to enter any IP address or domain name to see whether it's on any of 30-some real-time blocklists.

If your company does get whacked by a blocklist for a few hours or days after your newsletter goes out, use some of the same tricks that spammers use to identify spam traps. Segment your e-mail list into 24 groups at random. Send mail to each group, one hour apart throughout the day. If one group triggers a blocklist, segment it even further until you've isolated the potential problem addresses.

Finally, consider dropping subscribers who, according to your server logs, haven't clicked a hyperlink in months — they could be robots disguised as ordinary newsletter readers.

Brian Livingston is the editor of Brian's Buzz on Windows and the co-author of "Windows Me Secrets" and nine other books. Send story ideas to him via his contact page.

Tools:

Add itmanagement.earthweb.com to your favorites Add itmanagement.earthweb.com to your browser search box IE 7 | Firefox 2.0 | Firefox 1.5.x Receive news via our XML/RSS feed