ISPs Starting To Charge for 'Guaranteed' Email Delivery

Presto Vivace writes "Under the guise of fighting spam, five of the largest Internet service providers in the U.S. plan to start charging businesses for guaranteed delivery of their e-mails. In other words, with regular service we may or may not deliver your email. If you want it delivered, you will have to pay deluxe. 'According to Goodmail, seven U.S. ISPs now use CertifedEmail, accounting for 60 percent of the U.S. population. Goodmail--which takes up to 50 percent of the revenue generated by the plan--will for now approve only mail sent by companies and organizations that have been operational for a year or more. Ordinary users can still apply to be white-listed by individual ISPs, which effectively provides the same trusted status.'"

Fighting spam?

[LordHatrus]

How does it fight spam if the spammer can ask to be whitelisted, or if the spammer can pose as or actually be a business operating for more than a year? Lame.

Re:Fighting spam?

[Ucklak]

Same boat as you my friend. We decided that AOL email addresses aren't allowed to be used in our monthly drawing for a free product(meal) so we don't accept AOL addresses on our web form.

The problem is that part of the registration sends a message to the recipient that the user has to acknowledge. That message sent to AOL addresses gets tagged as SPAM. Secondly, the newsletter we send out also gets tagged as SPAM by a good percentage of AOL users. So my opinion of this crap is to discriminate against people with goodmail services.

Re:Fighting spam?

[Jay+L]

Of course, Goodmail can't guarantee that the *recipient* isn't filtering. And it doesn't blacklist anyone. It's just an accreditation scheme like DKIM, but at the per-message level instead of the per-domain level. It does three things, from what I can tell:

1. At the sender side, for those senders who are paying Goodmail, it adds a token to the e-mail that recipients can verify. This part could be great, if they open up a public way to validate that token (and it's in their interest to, I think). Spam filters like SpamAssassin could then score the e-mail differently. Either Goodmail is useless, or it's useful. If it's useless, recipients can ignore the token. If it's useful, recipients can decide to apply less filtering - or they can apply all the usual filters, and just (using SpamAssassin as an example) apply a negative point or two to Goodmail so it's less likely to get filtered.

2. At the recipient side for those recipients who are Goodmail "partners", it guarantees that your mail will bypass all other filters. This part is dubious. Will they regret becoming partners? Maybe, if people start sending spam that's signed by Goodmail. Can they get out of their partnership or change the terms? Dunno. Will the market sort this out? You bet. If Goodmail partners start delivering more spam than non-partners, people will switch to the non-partners.

2. Also at the recipient side for those recipients who are Goodmail "partners", it adds a pretty blue ribbon, etc. to the "chrome" of the e-mail. Yes, the chrome is unforgeable. No, users can't tell the difference between a blue ribbon in the chrome and a blue ribbon in the body. AOL tried this years ago with "Certified E-Mail", so you could tell when a message was REALLY from AOL. Did it stop phishing? No. This part is security theater.

Nobody gets blacklisted. Right now, ALL our mail is essentially second-class mail, subject to all sorts of filters. GoodMail creates a first-class tier that potentially bypasses all that if you pay for the "postage" (which is only 1/20th of a cent for non-profits). Again, the market will sort out whether or not that postage is useful. In fact, "postage" is probably the wrong word - it's more like "notarized" e-mail.

Re:Fighting spam?

[datlas]

Actually being Goodmail requires *fewer* complaints than even regular white listing. The point of Goodmail is NOT that the ISP will not blacklist you regardless of how many complaints you get -- exactly the opposite. If you get a lot of complaints you won't even qualify for CertifiedEmail: http://www.postmaster.aol.com/whitelist/certifiede mail.html : How is eligibility determined for participation in the CertifiedEmail Program? The CertifiedEmail program is open to qualified, accredited senders with a history of good sending behavior. These senders will be further accredited to make sure the sender's programs conform to CertifiedEmail acceptable use policies. Senders accepted into the Certified Email Program will maintain status in the program by keeping complaint rates below threshold across recipient mailbox providers. Violation of complaint thresholds will result in the sender being placed on probation or excluded from the CertifiedEmail Program.

Re:Fighting spam?

[caffeine_high]

We get this a lot, people just mark a legitimate message as spam because it is easier. This is particularly common with with aol users.

The best option I have found is to include a unique identifier in the message and setup a 'feed back loop' with aol. They send you a notification when someone marks a message from your domain as spam. We remove them from our system and then contact them to explain why their lazy actions effect other aol users. Usually they are shocked that they have been caught and vow never to do it again. They often also ask to get included in the system again.

Well

[ShooterNeo]

Honestly, I don't see what the problem is. Charging some sort of cost - whether it be responding to a whitelist request, paying in CPU cycles to complete a hash, or just flat out paying a quarter of a cent - is the only practical way to fight spam. Spamfilters always have a small false postive and false negative error rate, while charging money or a cost does not. A quarter of a cent is many times the expected monetary return on a pure spam.

Since it costs money to set up an infrastructure to accept a cost of any type (reliable servers, an organization, ect) charging actual money rather than hash cycles or CAPTCHAs makes the most sense, and is also the only practical way for a big organization to send emails to a bunch of users.

I want my share too.

[140Mandak262Jamuna]

For every mail delivered to me with a blue ribbon I will charge 0.125 cents. If the ISPs dont pay me I will not read the mails. Howz that!

Re:Breach of contract

[bwd234]

"Well, assuming an user pays for the e-mail account, isn't this a breach of contract and false advertising? By "providing an e-mail account", it can be assumed no real mail is ever meant to be knowingly dropped.

Declaring those who haven't paid the protection racket as not "real mail" is not really something that I would envision as something which would pass a non-bribed judge."

Guess what, this is exactly how the USPS works. They are not responsible for making sure the mail is delivered unless you pay more for it, like certified mail, etc.
How do I know? I was told this in so many words when I had mail lost and complained to the Post Office about it.
It was basically, "if you want to make sure it gets there, have it insured, otherwise..."

Yeah, nice little racket the USPS has too!

Spam Filters are Broken

[tacocat]

I think part of the problem is that spam filters are generally broken and don't work that well. Part of the problem is that no one has seriously thought about how crappy the approach is. The other part of the problem is that their is little or no personal ownership of the filtering of spam.

When the ISP/customer have no relationship on identification of what is spam the ISP has to aim really high and take the approach that anything that is obviously spam is not delivered and everything else is. The net effect is the ISP might not deliver porn spam, but they'll deliver many other things with impunity. If there was a more aggressive involvement of the customer/consumer of the email then you could better tune the filters to match each user better.

SpamAssassin is the worse offender. It's origination was to do static regex checks and add points for each hit. And when you were done, the points put you either IN or OUT. But in order for SA to work you have to tune the number of points added for each regex test. And this is constantly changing. But for it to work, you have to be constantly monitoring the results. No one does this on a consistent basis.

A critical drawback with their approach is the constant game of catch-up they have to play in order to get the filtering to work correctly and then someone has to run some update script to hopefully get everything working correctly. Again, this has to be done continually like the tuning or it will start to fail.

Bayesian filters offered a great alternative but they quickly turned into their own problems. SA uses Bayes, but it's not effective because of the lack of feedback from the consumer (in most cases). It's also prone to over-rides by their own auto-whitelisting. Convenient, but deadly. Where Bayes lacks goes back to the original problems of non-customized feedback and involvement. It's very inconvenient to try and set up something like bogofilter to run for every individual in a group of 1000's so the mail admin makes one file for everyone thereby generalizing the statistics and making them less effective because they have to be good enough for everyone but not so good they remove any of the really serious spam.

And yes, SA does user specific Bayes filtering. I used it for three months and it sucked. It was not a very effective spam filtering system even with user specific bayesian filtering included. It's also getting pretty darn slow. Slow enough to become a consideration.

DSpam is effective, customized, and slower than molasses in january. It will also lose email. But YMMV and I don't really care to hear about how great it is. I lost a lot of email and a lot of money as the result of it. Perhaps some day they can get their act together, but there will always be a severe performance penalty for CRM114. But Bayesian filtering can still compete with CRM statistical success with 100X performance increase.

So what do you do about spam filtering?

The technology exists to effectively and efficiently filter spam. But that's not the problem. The technology that is used today is relatively lame because there are shortcomings abound that prevent a good solution for someone really large (like an ISP).

The problem is to redefine how the consumer is going to own their own spam filtering effectiveness. No more auto-whitelist. No more auto-blacklist, No more auto-update of Bayesian tokens. All of these can be carefully manipulated to taint the statistics and allow delivery in droves. The consumer must take ownership of their mailbox in the same manner that they are expected to take ownership of their credit card information on the internet.

Re:Breach of contract

[asamad]

Slightly different analogy, you are already paying for you packets to make it to the internet, why should you have to pay again ?

Re:Breach of contract

[codegen]

I have not read your terms of service, but I can *almost* guarantee there
is a clause that specifies that the ISP can modify the terms at any time
by posting them on the website and that you agreed to it.

No gurantee of service?

[nurb432]

Then what value is the ISP?

This cant be legal. "here is your service. Oh, you want it to actually work, well pay up"

Google already does this

Gmail started rejecting mail from my home system back in April. At the time the rejection was "Our system has detected an unusual amount of unsolicited mail originating from your IP address."

This turned out to be a lie, but I wasted time making very sure it wasn't true. Nor was it an inherited IP problem from DHCP because I'd had the same for months.

To make it more fun, much confusion was caused because some of my 'rejected mail' had actually gone through.

Eventually I got a response from complaining to Gmail as a Gmail customer. There was no other way to contact them about the problem, and they still took two weeks to make a generic reply to the effect of 'thank you for calling ... our engineers work hard constantly to improve the system ... are you still having trouble?"

Hell yes I was, but what they did in the meanwhile was tweak their error response. Now the rejection was "The IP you're using to send email is not authorized to send email directly to our servers. Please use the SMTP relay at your service provider instead." Which is already what I'd ended up doing while waiting around of course.

I told them that and got another two-week later canned reply saying "Thank you for your reply. We suggest that you utilize the SMTP relay from your service provider."

It's horseshit, and just laying the foundation to charge for 'guaranteed delivery'. Our machines are supposed to be able to connect to one another. This Gmail mess was proof positive it's not about spam because there was none. It's about making money by lying that it's about spam.

Competing Vendors.

[OgGreeb]

I have yet to see an adequate defense proposed against the problem of multiple "certified email" vendors in the same mail stream, where one vendor has been paid and the others haven't. How does one vendor ensure that validated mail gets delivered?

This is exactly the same problem with backbone pipe vendors wanting to get paid for "premium" bit transfer.

Re:Competing Vendors.

[OgGreeb]

That's great, for the recipient ISP. But if you host a legitimate mailing list, and 10% of your destination addresses are to AOL which accepts Goodmail, and 15% are to Hotmail, which requires MicrosoftHappy, and 12% go to GMail, which requires ReallyGoogle, and there are another 15 vendors represented amongst the 30% of smaller ISPs, then how much will it cost to get messages through again?

And what kind of mail transfer infrastructure will be needed to handle all the certification and payments?

radio

[falconwolf]

Read up on the early history of Radio. It used to be free to broadcast. Now it's really expensive. Soon the only web pages and mailing activities will be those that are sanctioned by the key masters.

No, it's cheap to radio broadcast, Pirate radio stations do it all the tyme. There's even pirate radio on the internet. What's espensive is getting a license to broadcast. And that's just how the mass media wants it. Clear Channel doesn't want more competition, it wants less.

Something smells here...

[BrokenHalo]

It doesn't really matter if someone filters mail into a spam bucket. The mail has been successfully delivered. The point is that all mail should actually be delivered to the addressee by default, not at the whim of an ISP making assumptions about whether the sender is friend or foe.

We're going about fighting spam the wrong way. We should just execute spammers (and maybe those who employ them) in the most painful, messy way that can be devised. Or maybe burn "THOU SHALT NOT SPAM" into their hides with a blow-torch. ;-)