ISPs Starting To Charge for 'Guaranteed' Email Delivery

Presto Vivace writes "Under the guise of fighting spam, five of the largest Internet service providers in the U.S. plan to start charging businesses for guaranteed delivery of their e-mails. In other words, with regular service we may or may not deliver your email. If you want it delivered, you will have to pay deluxe. 'According to Goodmail, seven U.S. ISPs now use CertifedEmail, accounting for 60 percent of the U.S. population. Goodmail--which takes up to 50 percent of the revenue generated by the plan--will for now approve only mail sent by companies and organizations that have been operational for a year or more. Ordinary users can still apply to be white-listed by individual ISPs, which effectively provides the same trusted status.'"

Fighting spam?

[LordHatrus]

How does it fight spam if the spammer can ask to be whitelisted, or if the spammer can pose as or actually be a business operating for more than a year? Lame.

Re:Fighting spam?

[tacocat]

No, you are really wrong.

The point behind guaranteed delivery is that the ISP will not blacklist your domain/ip address regardless of how many spam reports they receive. This is the whole point behind goodmail.

I just spend hours in a meeting discussing this very topic. Our company was blacklisted by AOL because too many people reported our email as spam (it's all mail that they opted in for -- default is out). The result was all of AOL delivery was blacklisted. Eventually we got it fixed, but the next tier to the solution is to pay GoodMail $$ to effectively certify our domains as legitimate senders and they pay AOL a portion of their proceeds to guarantee permanent whitelist status no matter what the users do.

The only criteria that AOL has leveled against us is if someone tags our email as spam, we have to remove them from the mailing list. But I don't know if this will change or not with the introduction of GoodMail into our mail delivery system.

Re:Fighting spam?

[tacocat]

If he tags what you sent as confirmation to his request, what do you think the chances are that they will also tag your newsletter?

A lot of AOL users tag messages as SPAM when they don't want to see them anymore. It's easier than opting-out and so they abuse the process. They have no repercussions to their actions.

But a lot of users do this. I see it in my house where I run my own mail server and my own spam filter. It's a bayesian filter so you have to tell it when it was wrong. Wife won't tell it anything but she complains about the spam she's getting. Can't help her. She's being obstinant and dumb.

Re:Fighting spam?

[Jay+L]

Of course, Goodmail can't guarantee that the *recipient* isn't filtering. And it doesn't blacklist anyone. It's just an accreditation scheme like DKIM, but at the per-message level instead of the per-domain level. It does three things, from what I can tell:

1. At the sender side, for those senders who are paying Goodmail, it adds a token to the e-mail that recipients can verify. This part could be great, if they open up a public way to validate that token (and it's in their interest to, I think). Spam filters like SpamAssassin could then score the e-mail differently. Either Goodmail is useless, or it's useful. If it's useless, recipients can ignore the token. If it's useful, recipients can decide to apply less filtering - or they can apply all the usual filters, and just (using SpamAssassin as an example) apply a negative point or two to Goodmail so it's less likely to get filtered.

2. At the recipient side for those recipients who are Goodmail "partners", it guarantees that your mail will bypass all other filters. This part is dubious. Will they regret becoming partners? Maybe, if people start sending spam that's signed by Goodmail. Can they get out of their partnership or change the terms? Dunno. Will the market sort this out? You bet. If Goodmail partners start delivering more spam than non-partners, people will switch to the non-partners.

2. Also at the recipient side for those recipients who are Goodmail "partners", it adds a pretty blue ribbon, etc. to the "chrome" of the e-mail. Yes, the chrome is unforgeable. No, users can't tell the difference between a blue ribbon in the chrome and a blue ribbon in the body. AOL tried this years ago with "Certified E-Mail", so you could tell when a message was REALLY from AOL. Did it stop phishing? No. This part is security theater.

Nobody gets blacklisted. Right now, ALL our mail is essentially second-class mail, subject to all sorts of filters. GoodMail creates a first-class tier that potentially bypasses all that if you pay for the "postage" (which is only 1/20th of a cent for non-profits). Again, the market will sort out whether or not that postage is useful. In fact, "postage" is probably the wrong word - it's more like "notarized" e-mail.

Re:Fighting spam?

[IngramJames]

AOL... I do that too

Surely you meant to type:

"Me too!"

Ahem. Thank you, thank you. The old jokes are.. well.. old.

Re:Fighting spam?

[caffeine_high]

We get this a lot, people just mark a legitimate message as spam because it is easier. This is particularly common with with aol users.

The best option I have found is to include a unique identifier in the message and setup a 'feed back loop' with aol. They send you a notification when someone marks a message from your domain as spam. We remove them from our system and then contact them to explain why their lazy actions effect other aol users. Usually they are shocked that they have been caught and vow never to do it again. They often also ask to get included in the system again.

Let's rate the ISP's

Comcast - EVIL
Cox - not very evil yet
Time Warner - The incarnation of Evil
Verizon - Pure evil

They didn't say who the other three are, but I'll guess here
AOL - Strange evil
BellSouth - Pure Evil
Mediacom - Incompetent Evil

Re:finally

[mikelieman]

You're not getting junkmail in your reality-based mailbox, then?

This has NOTHING to do with stopping Spam.

This is all about generating revenue from Spam.

And this will help how?

So the spammers who use botnets will just cause the hijacked computer's owners to pay thousands in email fees?
I can imagine the new "training" course at the grade schools:
Don't download music because you'll get sued for thousands of dollars by the RIAA and then have to pay thousands of dollars because a "virus" sent out emails from your computer!

Re:Breach of contract

[bwd234]

"Well, assuming an user pays for the e-mail account, isn't this a breach of contract and false advertising? By "providing an e-mail account", it can be assumed no real mail is ever meant to be knowingly dropped.

Declaring those who haven't paid the protection racket as not "real mail" is not really something that I would envision as something which would pass a non-bribed judge."

Guess what, this is exactly how the USPS works. They are not responsible for making sure the mail is delivered unless you pay more for it, like certified mail, etc.
How do I know? I was told this in so many words when I had mail lost and complained to the Post Office about it.
It was basically, "if you want to make sure it gets there, have it insured, otherwise..."

Yeah, nice little racket the USPS has too!

Yeah, that works

[scribblej]

I mean, my postal mailbox is totally free of spam-like mail, because companies have to /pay/ for postal mail.

Re:Yeah, that works

[Duhavid]

Sarcasmville.

Dubious statistic

[asuffield]

According to Goodmail, seven U.S. ISPs now use CertifedEmail, accounting for 60 percent of the U.S. population.

This is probably true as stated, but almost meaningless. Each of those ISPs will be counting the number of users that have email accounts with them, and then they just added up those numbers. The problem with this is that many users have more than one email account and don't use the one provided by their ISP - a large chunk of that 60% probably uses yahoo, hotmail, or gmail. Many people will also have another account provided by their employer.

It is not particularly useful to count email accounts as a fraction of the US population.

Spam Filters are Broken

[tacocat]

I think part of the problem is that spam filters are generally broken and don't work that well. Part of the problem is that no one has seriously thought about how crappy the approach is. The other part of the problem is that their is little or no personal ownership of the filtering of spam.

When the ISP/customer have no relationship on identification of what is spam the ISP has to aim really high and take the approach that anything that is obviously spam is not delivered and everything else is. The net effect is the ISP might not deliver porn spam, but they'll deliver many other things with impunity. If there was a more aggressive involvement of the customer/consumer of the email then you could better tune the filters to match each user better.

SpamAssassin is the worse offender. It's origination was to do static regex checks and add points for each hit. And when you were done, the points put you either IN or OUT. But in order for SA to work you have to tune the number of points added for each regex test. And this is constantly changing. But for it to work, you have to be constantly monitoring the results. No one does this on a consistent basis.

A critical drawback with their approach is the constant game of catch-up they have to play in order to get the filtering to work correctly and then someone has to run some update script to hopefully get everything working correctly. Again, this has to be done continually like the tuning or it will start to fail.

Bayesian filters offered a great alternative but they quickly turned into their own problems. SA uses Bayes, but it's not effective because of the lack of feedback from the consumer (in most cases). It's also prone to over-rides by their own auto-whitelisting. Convenient, but deadly. Where Bayes lacks goes back to the original problems of non-customized feedback and involvement. It's very inconvenient to try and set up something like bogofilter to run for every individual in a group of 1000's so the mail admin makes one file for everyone thereby generalizing the statistics and making them less effective because they have to be good enough for everyone but not so good they remove any of the really serious spam.

And yes, SA does user specific Bayes filtering. I used it for three months and it sucked. It was not a very effective spam filtering system even with user specific bayesian filtering included. It's also getting pretty darn slow. Slow enough to become a consideration.

DSpam is effective, customized, and slower than molasses in january. It will also lose email. But YMMV and I don't really care to hear about how great it is. I lost a lot of email and a lot of money as the result of it. Perhaps some day they can get their act together, but there will always be a severe performance penalty for CRM114. But Bayesian filtering can still compete with CRM statistical success with 100X performance increase.

So what do you do about spam filtering?

The technology exists to effectively and efficiently filter spam. But that's not the problem. The technology that is used today is relatively lame because there are shortcomings abound that prevent a good solution for someone really large (like an ISP).

The problem is to redefine how the consumer is going to own their own spam filtering effectiveness. No more auto-whitelist. No more auto-blacklist, No more auto-update of Bayesian tokens. All of these can be carefully manipulated to taint the statistics and allow delivery in droves. The consumer must take ownership of their mailbox in the same manner that they are expected to take ownership of their credit card information on the internet.

Feedback Form

[SeaFox]

Your post advocates a

(X) technical ( ) legislative (X) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
(X) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
(X) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
(X) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
(X) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
(X) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
(X) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

(X) Ideas similar to yours are easy to come up with, yet none have ever been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
(X) Sending email should be free
(X) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( ) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
(X) Nice try, assh0le! I'm going to find out where you live and burn your house down!