Slashdot Mirror
Hotmail & Yahoo Mail Using Secret Domain Blacklist
On December 7th I sent out a normal batch of emails to the Circumventor mailing list, where I send out new proxy sites for getting around Internet filters. I registered seven new domains and sent each domain to one seventh of the list; the list contains about 420,000 addresses, so each one went to about 60,000 people. (Each new site is only sent to a random subset of the list, so that a blocking company can't just subscribe one address to the list and block all new sites as soon as they're mailed out.)
The list is also comprised of 100%-verified-opt-in addresses, meaning that a new subscriber has to reply to a confirmation message in order to be added to the list. That's considered the gold standard for responsible mailing, but major email providers keep finding new ways to block the emails as "spam," which sometimes provide interesting insights into how the filters work behind the scenes.
After the last mailing, for example, all of my newly registered domains got disabled by the registrar because two of the domains had been incorrectly blacklisted by the Spamhaus Domain Block List. It took two days to discover the problem and then several hours to trace the problem to Spamhaus, although once I found Spamhaus's automated form I was able to get the domains un-blacklisted immediately. So the registrar re-enabled the domains a few hours later, although the traffic to the domains never returned to its previous levels. Spamhaus, meanwhile, continues to claim the DBL is a "zero false-positive" list, and has yet to acknowledge the error or contact me to help get to the bottom of how it happened. Well, they know how to reach me.
At least this time around, my domains didn't get disabled. Instead, the messages rolled out for a few hours with no problem (replies from users indicated that at least some hotmail.com and yahoo.com users were receiving them), until bounces abruptly started coming in from hotmail.com and yahoo.com addresses saying:
----- Transcript of session follows -----
... while talking to mta5.am0.yahoodns.net.:
>>> DATA
<<< 550 Message Contains SPAM Content
554 5.0.0 Service unavailable
After pummeling my address with bounce messages (to the point where my own Gmail account started bouncing because it was getting hammered with so many bounce messages from Hotmail and Yahoo), when the dust finally settled, I tried reproducing the error by sending test messages from my server's IP address to a test Hotmail account. It turns out that out of the seven different URLs that I had been mailing to our users, four of the domains in those URLs would generate a "550 Message Contains SPAM Content" error when sent from my IP to a Hotmail address, and the other three did not. The message didn't have to contain the banned domain in the From: address; the message would get blocked if it even mentioned the domain anywhere in the message body. (This only happened when sending from my own IP address at peacefire.org. It didn't happen if I tried sending a message from my Gmail account to a Hotmail address, even if the message contained one of the four banned domain names, so the issue probably won't reproduce if you try sending a test message yourself.)
But interestingly, Yahoo Mail started bouncing my messages at about the same time — out of the seven domain names, the same four domain names were being bounced by Yahoo Mail as by Hotmail, also with the error "550 Message Contains SPAM Content." That's far too unlikely to be a coincidence, so it looks as if Hotmail and Yahoo Mail are using a common secret blacklist of domain names that cause a message to be blocked as spam. (As it happens, the other three domains were also being bounced by Yahoo Mail with the error "Message Contains SUSPECT Content" — as opposed to "SPAM Content" — while those three domains were not blocked by Hotmail at all. That of course is aggravating, but the real clue lies in the fact that both Yahoo Mail and Hotmail were giving "SPAM Content" errors to the exact same subset of domains.)
I don't want to publish the list of all seven domain names here, so as not to make it too easy for censorware companies to block them all, but one of the four blacklisted domains was 'golflanding.com.' (All of the new domains I register are nonsensical two-word combinations, since those are the only .com domains that are likely to be (1) still available and (2) easy to remember.) As soon as it seemed like Hotmail and Yahoo Mail were working off of a common blacklist, I checked to see if Spamhaus had screwed up again and listed our domains, but none of the seven domains were on Spamhaus's lists.
I looked up golflanding.com on the blacklistalert.org service, which checks against all major spam blacklists, but no hits were listed there either (except for on some defunct services which haven't been updated in years).
So if Hotmail and Yahoo Mail are both using the domain blacklist, perhaps it's a list compiled by one company and then licensed to the other, or perhaps it's a third-party list not widely known to the public. (Hotmail uses their own SmartScreen filter, but I've found nothing online about Yahoo using it as well.) It's conceivable that one or more of the domains might have gotten blacklisted as a result of Hotmail or Yahoo users clicking their "This is spam" button. However, Hotmail allows newsletter publishers to view data about what percent of their messages to Hotmail users are being flagged by users as "spam," and when I looked up the stats for our IP, they showed a "complaint rate" of less than 0.1% (usually the rest of people hitting 'Junk Mail' to unsubscribe from the list). Assuming that the complaint rates are similar for Yahoo Mail, it's unlikely that the domains got blacklisted as a result of user complaints, unless the blacklist trigger has a ridiculously low complaint threshold.
Neither the Hotmail postmaster site nor the Yahoo postmaster site mention anything about a list of domain names that could cause a message to be blocked for mentioning the domains in the message body. Yahoo Mail does provide a support form for newsletter publishers to send inquiries about why their mail is being blocked; I submitted that on Saturday and started a thread with email "support," although so far their response has just been to copy and paste articles from the Postmaster site, with tips like "Send email only to those that want it." Each time, I reply saying, No, this is not the problem, the problem is that the domains in the messages are getting incorrectly blacklisted, and each time, support cheerfully sends me another article. If I'm not literally talking to a bot, I might as well be.
I opened a similar ticket with Hotmail, and they sent me a form letter saying that the emails were being blocked because of SmartScreen, and that as a matter of policy, they would refuse to fix any errors being made by the SmartScreen filter. Waiting to see if I get a reply from a human next.
So why should you care? Well, for one thing, if you care about users in China and Iran being able to receive proxies to get around their Internet blockers, right now Hotmail and Yahoo are thwarting these proxies more effectively than those countries' own censors are. Yes, these are real people who really do write back to me after a mailing goes out, telling me about how they were able to use the proxies to receive banned political information, and sometimes how long the proxy lasted before the censors blocked it. This week, they had to do without.
But more importantly, this is an example of a general problem: That there are certain types of issues, like blocking of legitimate mail by spam filters, where the "free market" does not deliver the best experience to consumers, and the costs get passed on to everybody. Sometimes the problems could be solved with some effort, but the effort does not get made, because people believe that the free market will solve the problem, or that it already has.
In theory, if consumers have enough information about different companies and their services, the companies can compete to provide the best product to users. The problem is that if one type of information is systematically hidden from users — in this case, the fact that their mail provider is blocking mails from reaching them — then the "theory" falls apart. Since spam getting into your inbox is a visible problem, but missed email messages are an invisible problem, Hotmail's incentive is not to give the user the best experience, but rather to err on the side of blocking legitimate messages — even if the user might prefer to get slightly more spam, than to miss one important email that they were waiting for.
This means we're not just talking about a few messages getting caught in filters, which could happen even in an efficient marketplace. We're talking about a permanent equilibrium where the user gets a sub-par experience by default — a trade-off that causes them to miss more messages than they want to — and senders have to pay the cost of overcoming the marketplace inefficiencies. (Which means if the sender is a business you buy from or a charity you support, the costs get passed on to you.)
Pretty much the entire financial cost of sending email, is attributable to the failure of the "free market" to motivate email providers to deliver non-spam emails into their user's inboxes. If a company or organization uses an email list hosting company like AWeber or Constant Contact to email their users, they pay a fee of about $1 per month for every 100 users on their list (which would run me about $4,000 per month). That fee doesn't go towards bandwidth — even a 1-million-subscriber list, emailed once a month, would use less than 3 GB per month of bandwidth, which is what GeoCities was was giving away for free 10 years ago. What you're paying for is the fact that AWeber and Constant Contact have friends in the right places at Hotmail, Yahoo, and Gmail, so if your mails are getting blocked, they know the people to call to fix the problem. If you run your own list instead of paying a hosting fee to AWeber or Constant Contact, you'll end up paying other costs indirectly, through loss of income when your messages don't reach recipients, or in time and money spent trying to fix the issue. (I have to take this option anyway, since I send different URLs to different random subsets of my list, which is not supported by AWeber or Constant Contact.)
On the other hand, if the market actually "worked" — if email providers did reliably deliver non-spam messages to their users — a company or charity could run their own list for virtually zero cost, and would be able to keep all of that money. (I incur no up-front fees for running my own list; all of the costs are the time spent trying to get Yahoo, Gmail, and Hotmail to stop blocking it.) So every time you donate to a charity or buy from an online retailer, a little bit of that money goes towards the cost of that organization having to fight past marketplace failures in order to get their email to you.
I don't think there's an easy algorithmic solution, like crowdsourcing Facebook complaints or using random-sample voting on Digg. Generally, I just think we need more awareness of the fact that, under certain conditions (including those surrounding email deliverability), the "free market" is virtually guaranteed to arrive at a non-optimal solution. One manifestation of that awareness would be if Hotmail, Yahoo Mail, and Gmail created public points of contact where legitimate email publishers could find out why their emails were blocked, and had real humans responding to the messages and fixing the problems. By default, the imperfect information in the marketplace leads toward an equilibrium that errs on the side of blocking too much legitimate email, so anything that pushes the equilibrium back towards more legitimate messages getting delivered will improve the experience for users and lower costs for senders.
Besides, there's a more basic ethical issue here. If you're Hotmail and you tell your users that you're providing them with "email accounts," then those users expect those accounts to work — including having the ability to receive mails from mailing lists that they've signed up for. Helping legitimate emails get through to users is not just a matter of addressing a marketplace inefficiency, it's a matter of honesty.
Larry Lessig's book "Code is Law" describes how default choices built into the architecture of the Internet and other environments — the "code" — can steer our behavior in ways that we might not choose otherwise. I'm making essentially the same point in saying that some problems are not fixed by market forces, because people are not aware of the problem at all. I think the evidence and the reasoning are straightforward in this case, but it's hard to convince people who have adopted it as an axiom that whatever the free market arrives at, must be the solution. My favorite single sentence in Lessig's book was, "Put your Ayn Rand away." I could imagine the years of pushing against dogmatic fanaticism that led him to write that sentence, and I knew how he felt.
Is there a summary of the summary available?
I could maybe see their necessity 10 or 15 years ago, but statistical classification techniques are good enough these days that a blunt tool like a domain blacklist doesn't really make much sense. Heck, Paul Graham was arguing that seven years ago, and it hasn't gotten less true.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
The blacklists and censorship dealings in China and Iran are directly attributable to their respective governments, there is no similiar connection in hotmail and yahoo's blacklists.
Stop this, you look like fools.
The only treatment is a deadly poison that you hope kills off the bad parts before the good suffers too much.
I think you just wanted to go on a political rant there. Seriously, you spend the post talking about the failings of two companies, ignoring the fact that there are other companies out there (well, you do mention GMail once, but you don't give any supporting evidence for it not being "open"), and act like two companies doing particular things is some kind of "failure of the free market."
So what's your solution? What's to stop a government-owned email provider from using this SmartScreen thing "as a matter of policy?"
Seriously? It's fucking news that there might be domain blacklists that aren't public knowledge?
What's with the gratuitous complaints about the "free market" not giving some mythical "optimal solution" that lets you send your "100% guaranteed opt-in" spam without interference? I call bullshit. If Hotmail isn't accepting your "really honest it's not spam" mailing list stuff, maybe you should try contacting them about it. The "free market" doesn't magically solve problems without people doing what it takes to address the problems.
Blacklists are nice because they reduce server loads. Sure, running a statistical classifier for one user is not so hard, but if you have to process hundreds of millions of messages per day, that is a lot of CPU time spent on spam.
Now, I agree that blacklists are bad, but we do need some system that doesn't require large amounts of CPU time or other resources. Hashcash is interesting here, in that the CPU time is mostly spent by clients; one might be able to slow spam down enough to let a combination of statistical filtering and greylisting take over.
Palm trees and 8
If it wasn't for real Viagra costing $25 a pill, there wouldn't be as hot a market for the spam.
He's saying that Hotmail, Yahoo, and GMail are running a cartel of free online webmail services.
He's trying to get opt-in email to accounts on these systems, and it's not going through. He has evidence indicating these services operate a common hidden blacklist service keeping those emails from getting to the accounts. He cannot reach people within these organizations to open up emails coming from his domains, as he does not have an inside contact to "assist" him with this problem. This leads him to speculate that Hotmail, Yahoo, and GMail are operating like a cartel, where only "approved" email list hosting service companies with inside contacts are able to do business with these services.
Better?
Are the proxy servers you are sending out on these lists capable of relaying mail onwards on port 25? If so this is probably a significant factor in these blacklistings. If you block outbound connections to port 25 when you set up these proxies, you'll probably find your blacklist problems are significantly reduced.
Blah blah blah ...... I sent craptons of mail to people who I'm sure want to receive it ..... but the system is telling me people don't .... blah blah ..... free markets suck.
I have worked on spam filters before. I've heard this story a million times. In case the article poster reads this, here's the blunt reality:
Those half-million people you think really really want new proxy sites all the time? Guess what, many of them don't. They are reporting your mail as spam which is why you're getting blocked (this is domain reputation). You may not understand why, but they are, so deal with it. Expire addresses that signed up a long time ago - some people won't unsubscribe when it's no longer useful for them. Make sure it's a simple, obvious one click operation to unsubscribe, and I mean really one click - not "click, log in, go to preferences" etc. Being able to unsubscribe should be the easiest thing in the world.
If SpamHaus is blacklisting you, they probably think you're sending mail to their spamtraps. Hence the "zero false positives" claim. Are you sure every single address on your list replied to a confirmation mail? All 400,000+ of them? Because it sounds unlikely.
Read my sig.
You are being MICROattacked, from various angles, in a SOFT manner.
Oh, someone is still using Hotmail and Yahoo?
Wouldn't it be just easier to do vice versa, block both and it would be a favor to us all.
Yes, verified opt-in is one requirement. But if you don't want to be marked as sender of SPAM, you should also make it *very* simple to unsubscribe. I know I've subscribed to a few lists, and at first read the emails, then ignored them, and eventually thought "should unsubscribe". But if that unsubscribing is difficult, I'll just hit "spam" in gmail (or whatever). I don't see the emails and more, and the sender gets blocked as spammer.
I could swear this same guy was complaining about problems with his "I swear it's not spam" mailing list several months ago.
Part of the problem with spam fighting is that we are not distributing the spam fighting load. Hashcash distributes the load somewhat, in that it forces spammers to use more resources to send out their message and can slow them down somewhat. A distributed filtering system that allowed people to volunteer CPU time and bandwidth to filter spam (with some system of gaining the trust of an email server) might also work; imagine if hundreds of millions of people were relaying / filtering 100 messages per day.
Palm trees and 8
I hate to use the if you were legit then you wouldn't need a proxy argument. However If he was using email the way most services want you to use it, he wouldn't have a problem.
Email was meant for a Person to send a message to another person or a small group of people, usually with people that you have some connection too.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
I used to work security at a major hosting provider. If we got complaints about your mailing list, the first thing we'd do is ask you about how you got your list, to see if it complied with our requirement for verified opt-in lists only. We'd also sign up ourselves or check logs and code, because customers always lie (except when they don't).
Right now, I'd apply the same standard of skepticism. I understand that revealing such things would make your proported aim of censorship circumvention hard, but I'd still like to hear independent verification from someone who can reasonably demonstrate the depth of their commitment to opting in.
Apple has a "secret list" too it seems, I had one case of this with one domain. When I called I explained to normal tech support the issue, they had me escalated where I explained the issue in a bit more detail. Within an hour or two I had a call back from Apple support telling me that the domain had been removed, I didn't pry any more I just figured since they have the right to deny email for whatever reason then have the right to do this. This came after looking over logs, and some packet captures, to make sure it was being delivered to their servers before making the call to Apple. Nothing indicated any type of failure/deferred/blocked from looking at those logs/captures.
Even S/MIME might meet your needs in this case. Encryption is cheap enough even for mailing lists now.
Its not Spam if you opt in. Spam is unsolicited. For this you have to request. Now is it possible the guy is bull shitting that part sure, however if we accept that the articles are bull why bother to read them?
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
He sends proxy address to people that requested that information. He send it weekly because the proxys are blocked.
The issue is that no one on the list of recipients got the chance to refuse the message.
How can you be certain he is not part of an internet forum dedicated to anonymity? What if he were sending an email with updates on domains that are security risks to a long list of subscribers to his IPsec newsletter?
There is a very long list of possibilities for what he could have been doing that was perfectly legitimate. Basically, USPS, UPS, FedEx, DHL, $common-carrier should not read your text-only message to determine if there is any information they don't like, and refuse to deliver it based on that alone.
Do you people not understand the concept of an email newsletter? For instance, I am subscribed to NASA Tech Briefs 's email newsletter, which purports to have an audience of over 77,000. Being a newsletter, of course those emails all have "the same web address in them" -- they're the same bloody content. This has been going on for decades (they've been a big thing since home users who never heard of usenet started getting internet access...), and as long as it ONLY GOES TO PEOPLE WHO VOLUNTARILY SUBSCRIBED, it's NOT MOTHERFUCKING SPAM! If your spam filter flags this, your spam filter is broken. Spam= UNSOLICITED bulk email, not all bulk email.
After the last article I signed up for the service of getting emailed the proxy sites. Guess what, I've had no problem. I've not recieved any spam to the email address I used. I've only received emails that I specifically requested.
So, ah.
Dude, you're a fucking idiot. Hotmail and Yahoo are not doing anyone good... Get lost!
If someone is running an incredibly popular opt-in email list, that doesn't automatically make them a spammer. In fact, because it's all opt-in it makes them the opposite. It's solicited, not unsolicited. Mr Haselton is one of the good guys, and you are a moron if you can't see that.
HELP MY ACCOUNT HAS BEEN HACKED BY AN ILLIBERAL ART STUDENT SET TO DESTROY THE INTERWEBZ!
I have to use a mail proxy, not because I spam (we send about 20 emails a month) but because verizon blocks port 25 outbound, and won't let me get a static IP at home for my mail server.
I pay 20/year for my mail proxy, gives me 200/mo that we never hit.
- Implementing DKIM?
- Implementing SPF?
- Make sure the sender address doesn't bounce?
- Make sure you don't open thousands of connections to the receiving party for each recipient ? (in case of yahoo, hotmail, gmail,
- The contents of the e-mail is not considered spam? (provide unsubscibe link, no big images included, etc...)
Setting up a mass-mail infrastructure is not to be taken lightly. There are lots of reasons why you could be listed as a spammer. That's why most companies outsource their their mass-mailing to 3rd parties like MailJet, MailChimp, SendGrid...
...You are over-qualified and under-paid. If we give you a raise, we will break the cosmic balance of the universe.
His behaviors are _similar_ to those of a spammer in number only. Having visited his site: http://www.peacefire.org/ it seems that he gets his email list from people subscribing to it on his site. If I understand it correctly, people who sign up for this list are looking for regular updates to proxies so that they can avoid censorship. As proxies are discovered by governments or certain companies , they are blacklisted, and new proxies must be created and sent out to the interested masses:
Now it could be that there is a better way of doing this, but it seems to me that no matter how this game is played, constant updates to users should be the norm...
Now that I think of it, perhaps a Firefox extension could do the trick. Signed extensions can be updated automatically. The extension could have obfuscated URLs that are decrypted with something like this: https://addons.mozilla.org/en-US/firefox/addon/domcrypt/ and then wired in to automatically select an available proxy from the current batch. Not perfect by any stretch of the imagination, but it solves the "spam" problem. Also, it maybe easier for users and harder for censors? Crap... now I'm not going to get any work done...
Early on (before I quit reading) the OP said:
It turns out that out of the seven different URLs that I had been mailing to our users, four of the domains in those URLs would generate a "550 Message Contains SPAM Content" error when sent from my IP to a Hotmail address, and the other three did not. The message didn't have to contain the banned domain in the From: address; the message would get blocked if it even mentioned the domain anywhere in the message body.
It seems to be treating his email as spam even when he sends one email to a single address.That isn't spam.
Had a similar problem with Yahoo... Implemented domain keys and signed all my outbound mail and it fixed the problem.
--=(nIgHt+im3 iz dA rIgHtT1m3)=-- | pr0gr3sR
I've been on his list for around six years, and as far as I can tell, everything he says in the article is 100% accurate.
Also worth noting that he submits articles about these things to Slashdot quite regularly. I recall one a few months back where he was first considering this exact experiment. I'd go find it, but I'm posting from my phone.
The "Optimal solution" isn't "perfect".
There are always tradeoffs, and the power of the free market is that it is relatively effective at weighing different options.
It basically brute forces the answer to any question. It's messy, ugly, often inefficient, but it works.
FWIW, I'm on that list. And if I was using hotmail or Yahoo I would be PISSED about missing those messages. Been on it since highschool where I used them to bypass the school's web filters (occasionally teachers would even promote these sites because we literally couldn't do our work without them); today I still use them for testing and occasionally at work if, for example, I need a document from scribd (why that is blocked I'll never understand...)
[Quote]Email was meant for a Person to send a message to another person or a small group of people, usually with people that you have some connection too.[/quote]
[Citation needed]
Email is Electronic Mail. You have large mailing lists like these with physical mail; you'd have to be an idiot to have thought something similar wouldn't be developed with email.
I hate to use the if you were legit then you wouldn't need a proxy argument. However If he was using email the way most services want you to use it, he wouldn't have a problem.
Email was meant for a Person to send a message to another person or a small group of people, usually with people that you have some connection too.
Then how do you send a message to a large group of subscribers (let's ignore the spam angle for now and say these people want the updates) notifying them of site updates, special offers, alerts, or whatnot. I don't think it's enough to say "well they should just go to the site and check it when they want to." First, I don't want to call up every web site I might have signed up with every day. I just don't want to go through that hassle. I would end up not doing it. Email is perfect for me, I can scan it quickly for things that interest, delete it all when done... no hassle for either myself or the services. What would you suggest to replace this that would work better?
Bennett Haselton is no spammer. He's been involved in anti-censorship for nearly 20 years; he began in high school by investigating the block lists operated by the filtering software installed in many schools and libraries.
Not a spammer.
wg
Top secret fact :Google gmail has faulty blacklist too!
I have has a website I have had for over 12 years at niftyspot.com
Its mostly ARM CPU assembler link info and has been for ages
Gmail blocks mail from its server from google group lists I subscribe to among friends! Some messages delayed for 5 hours, some sp*m blocked
why? because the ONLY domain I know not listed in the first 1000 results is my website!
Google has a vendetta against me... my domain!!. I used to be number one search result (www.niftyspot.com) on EVERY search engine I know, and various listings sites, for the phrase "niftyspot" and also for phrase "nifty spot"
Now I am BANNED and have been for months, but chinese google has me number one result. As do 4 other search engines. But google DELISTED MY SITE ENTIRELY FOR MYSTERIOUS REASONS!!!
Google has a blacklist. And it has NOTHING to do with anything logical. The domain has been a good citizen and compliant for over 12 years, and the emails sent are a handful a week to a handful of people.
TRY IT YOURSELF IN BING; Then try finding my site in google’s crappy search engine. Or try other search engines besides bing
My www.niftyspot.com is delisted as destination search ENTIRELY off google, but for years and today ALWAYS number **ONE** in other search engines (http://bing.com, http://yahoo.com, http://duckduckgo.com, http://www.baidu.com)
Oddly enough, I stopped being number one and was delisted on just Google and blocked in google gmail after a stranger possibly in India wanted to negotiate to but niftyspot.com from me. I don't accuse him, but I sold it to him this morning because I do not know how to fight google.
I am enemy number one to google
even islamic terrorist websites are listed, and asian drug distributers are on google, and competitors, but not www.niftyspot.com
check the other searach engines and chinese google if you doubt me.
All i say is 100% fact and true. I am and was number one everywhere , but BANNED and DELISTED off of googles faulty or evil technologies.
I am the only known domain delisted off google AND harrassed in gmail as well
So quit picking on Yahoo and Hotmail. Google does evil too!
He has even sued spammers.
Dude, you're spelling it wrong. That's going to be flagged for sure.
This signature intentionally left blank.
Ironic. Almost all blacklist providers keep proxy sites on their default "bad sites" list. Were I running URLBlacklist or similar, I would simply sign up for his email service and make a point of adding every web domain spotted in his emails. Almost an instant kill for the blacklist provider; by the time email recipients can act on the information, it's already been blacklisted.
--Brandon / Split Infinity Music
Want to know who sends mass email in batches like that?
Apple, Microsoft, NewEgg, Amazon, Zappos (an amazon company), Woot (another Amazon company), ZD Net, and so on.
Not every large volume emailer is a spammer.
The Christian Right is Neither (Christian nor right). See: Matthew 23, Matthew 25, Ezekiel 16:48-50
Why not use Verizon's mail server?
Most likely, because it sucks great big donkey balls. Now, that said I don't use version so I don't know for sure. What I do know from working for one of the top 10 ISPs (size wise) in the country is, most big ISP mail servers suck. Send any attachments of any size and they're apt to be blocked, get stuck in the queue, or just go in to the blackhole. Other issues are that the ISP might flag or block as your messages as spam because you want to send 200 messages on friday. And you have to put up with their filtering and blocking choices, that may not meet your needs.
I think your scenario is exactly what RSS is for, right?
I wouldn't be suprised if it's just Bayes. The majority of messages with links leading to those registrars' domains were categorized by human readers as spam, so automated bayesian analysis picked it up.
As long as you have Internet governance that is primarily concerned with eliminating certain forms of political speech (Great FireWall of [insert name of nation here]) rather than ensuring a free market and fair trade, you're going to have this problem. The same low-rent registrars are going to be used for criminal spam as for legit filter avoidance technologies, because they are looking for the same service (temporary domain names at minimum price).
How in the world did it take you two days to figure out Spamhaus was blocking your stuff?
Save yourself some time down the road and just go to mxtoolbox.com. Enter the domain name it and can check all kinds of things for you. If a list is blocking it, you can get details as to why. In the past I've seen various reasons, but most are pretty detailed and provide quick access to the forms you need to get removed.
As for your idea of a secret shared blacklist between hotmail and yahoo, it sounds more like it's just a dynamic content filter that pulls data from spam lists to prevent the propagation of bad links. I doubt it's 100% realtime, so after getting Spamhaus to unlist you, yahoo and hotmail need to wait for their next content filter update to see the changes.
Anyway, I just thought it was a little weird that it took you 2 days to even get to step two of your problem.
Because they won't let me relay my own domain through it, it sucks big fat donkey balls and it's subject to far tighter restrictions than what I use to send outbound.
I run all my outbound mail through a good spam filter (that forces all outbound to be scanned, regardless if it makes it through the mail server) and have a fairly open file size limitation (20MB, compared to last I tested Verizons 5 MB)
My outbound proxy has no size limitations, my outbound proxy handles all blacklist issues, and my outbound proxy handles all RFC compliance issues (it's dyn, they aren't a bit player)
In the end, filtering it through dyn just works, trying to send through verizon ends in frustration.
Been on the list since late 2005 and I never delete an email, so I can confirm.
You subscribe at his website and you get a confirmation request email. You confirm, and it sends another message confirming that you've been added. The content is legitimate, the volume is fairly low, every email gives two unsubscribe methods in the first paragraph of the message (click a link or reply with unsubscribe) and all messages are plain text.
Read the summary and you'll find out!
Preface: I am not taking the side of the spammer here. You keep that shit out of my inbox, fucker.
That said, the real issue is the censorship of people's messages without their knowledge or consent. Granted, nobody wants to have to filter through millions of V1@gr@ ads just to read their mail, but on the same note, nobody wants someone else going through their mail and arbitrarily deciding what will and will not be delivered. I understand the purpose of the spam filter, and am glad it's there - but a secret spam filter? Not cool - as far as I know, those who administer said filter may decide, 'you know what? I vehemently disagree with the political philosophy of Grassfire/MoveOn/other political group, let's add them to the secret blacklist.'
Real world analogy - think of Yahoo/Hotmail as UPS - just because it's a private company doesn't mean they have the right to go through the shit you ship (or do they? I, personally, don't ship a lot of stuff...).
An enigma, wrapped in a riddle, shrouded in bacon and cheese
For years I've noticed that Yahoo email will bounce emails I try to send which contain certain URLs. Legit websites, no spam, no malware. Next year Ixquick.com/StartPage.com are supposed to offer StartMail.com as a webmail alternative. I am anxious to try it out.
Double confirmation of opt-in, two methods to unsubscribe at the top of every message, legitimate content, low volume, and no tracking features (all messages are plain text).
I've been a subscriber since 2005 (just looked that up for a different comment; I never delete email) and this list is as far from spam as you can get. Shit, I've replied to those messages and gotten a response from him personally (Still have those too.)
If you still think this is spam, then apparently by your definition I have literally never received an email that wasn't. He provides a great service and runs a clean list. I'm a huge fan if you haven't noticed...
Because (1) the webpage would get blocked for the people who need to use proxies and (2) you don't want to give everyone the same proxies.
(If you want a tl;dr version of my post: Don't whine that a free service run by someone else isn't guaranteed to meet your business objectives). Actually a couple of points. The first one is, bulk email is bulk email and it really doesn't matter how "good" an actor you are, whether you are opt-in, etc. You are not sending individual hand-calligraphed invitations to a royal wedding, or any other kind of lovingly crafted correspondence; you are sending bulk flyers which most people won't read. It is possible, maybe, to classify CONTENT algorithmically. It is impossible to classify intent (CE vs UCE). The second one is, email is NOT a guaranteed service. Broken cable. Bad MX record. Squirrelly hard drive in a mail relay somewhere and your email is gone. Why are you complaining about one particular failure here? It seems that people who actually want to have a certain level of service guarantee (in this case, avoiding a legitimate antispam measure - regardless of how effective it is) - need to pay the piper. You resent this, and believe you should get an above-baseline level of service for free. Can you hear my boiling tears raining down on the volcanic desert of the Internet? The third one is: you paid nothing to transport the email, you only paid to squeeze it out the urethra of your computer into the public internet - from then on all the transport is ON SOMEONE ELSE'S DIME. If they choose not to forward it, that's your bad luck. You have no recourse. Stop whining. I have zero sympathy for any problems experienced by anyone distributing bulk email for any purpose. If you told me your correspondence with Aunt Franny was being swallowed by a demon at Gmail, or something of the kind, I'd be more sympathetic, because that's a realer problem (though my second and third points above still apply to the Aunt Franny case). It is specious, maybe arrogant, to pontificate that consumers "lose" or the "free market fails" when bulk email doesn't reach its (mostly uncaring, if not downright resentful) endpoints reliably. In summary: Grrrr.
Its not Spam if you opt in. Spam is unsolicited. For this you have to request. Now is it possible the guy is bull shitting that part sure, however if we accept that the articles are bull why bother to read them?
They're spam because people are clicking the "THIS IS SPAM" button.
They're clicking that button because they don't want the fucking emails and he keeps sending them.
This man is running a list (among many other activities) supporting individuals' rights to information freedom under repressive governments and you're implying he's either incompetent or, worse, underhanded?
This is inane.
And how much effort is required to fucking test this?
What causes rudy_wayne and those who upvoted his post to like the idea that Bennett Haselton is spamming and lying about it? And is their credulity what keeps them from performing such an easy test? Whatever the cause of the inanity, how can we discourage this problem in the future?
Now it could be that there is a better way of doing this, but it seems to me that no matter how this game is played, constant updates to users should be the norm...
Now that I think of it, perhaps a Firefox extension could do the trick. Signed extensions can be updated automatically. The extension could have obfuscated URLs that are decrypted with something like this: https://addons.mozilla.org/en-US/firefox/addon/domcrypt/ and then wired in to automatically select an available proxy from the current batch. Not perfect by any stretch of the imagination, but it solves the "spam" problem. Also, it maybe easier for users and harder for censors? Crap... now I'm not going to get any work done...
There are multiple benefits of email delivery that aren't present in the Firefox Addon model:
If I were the OP, I'd consider moving to an encrypted blog method of delivery (still via email), but doing it while being very conscious of the level of technical know-how of the target recipients.
Their very lameness and ubiquity is what makes them perfect for people living under oppressive regimes. When "everybody" uses a mail service, it becomes harder to block it without a lot of people noticing and getting pissed off. When they are so ubiquitous that even members of the regime use them, it's even better.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
If you want to distribute a "newsletter" to real subscribers, set up an RSS feed, or a Twitter feed for little stuff. Readers can then subscribe if they want, and they can unsubscribe without having to beg to be taken off the list.
This clown sent 420,000 emails. Of course he's a spammer.
I admin a few mail servers. I've run into trouble with Hotmail. Here's what I've learned:
First, there are a ton of url / domain blacklists available out there, no need to suspect a conspiracy within Hotmail and Yahoo. That said, I know they also maintain in house IP and domain based blacklists, along with full url blacklists. No idea if they share but I actually doubt it as that potentially weakens their competitiveness with the other email providers. Hotmail also uses a paid whitelist service too via an 'independent third party', although certain blacklist levels can even override that paid service.
Second, Hotmail splits mail up into three categories now, legit mail and spam which we're all familiar with, plus what they've dubbed 'graymail'. In short, graymail is legit opt-in mail that the user just never bothers to read. Thats right, your quadruple opt in email can be treated like spam by Hotmail if your users never bother to look at it. Generate too much, you're treated as a spammer. Can SPAM compliance or not, they don't care.
Third, if you manage to get on Hotmail's IP blacklist, there is no recourse that I can find. Their policy is tough expletive, move your mail server to a new IP or go away.
As far as the complaint level stats you can view through their Postmaster tools, they only show two of the three stats their system works on at the IP level, the complaint rate (people flagging mail, I *think* VIRI mail also counts in this column) and filter hits percentage, although this one is obfuscated to try and defeat spammers trying to tune around it. The missing stat is IP reputation, based on those first two stats over time along with external and internal RBL data. So when you DO setup on a new IP, it'll take awhile for their system to actually accept mail from you. You can subscribe to a feedback loop program, but that shows another issue with Hotmail:
They have no concept of traditional mail relays, they expect all individuals to be sending via Hotmail, Gmail, Yahoo, etc. All other port 25 traffic destined to them must be from commercial list serves. At least that's the impression I've gotten from going through all their postmaster policies and dealing with their ticket system. If you try to explain the idea of an ISP relay for use by people within that IP block, they just ignore it and resume pestering about opt-out notices, etc.
Comment removed based on user account deletion
And should the HFH and ACLU and all the other newsletters I subscribe to be blocked as spam as well? They send far more than 400k emails a month. Email is more convenient than RSS or worse Twitter, and is newsletters are a perfectly legitimate use of the medium.
they have a very long history of false positives and actually noone should be using them today anyway.
I've never wanted mod points more than I do right now to mod you down as well as the many other idiots like you who have made similar comments.
Read his entire article and you'll understand why he's doing that. I'm not going to tell you because your brain obviously needs the exercise. If you're too lazy to read then don't bother commenting. I'd also recommend actually reading the rest of the comments for the many people here who have subscribed to his list for years and verified that he's 100% legit.
There is nothing commercial or unsolicited about his service and it's a vital and important tool if value minor things like freedom. A single one of his e-mails is probably more valuable to the world than your entire pathetic existence.
Ironically enough, you can isolate the "moles" by listwashing, just like spammers do for spam traps.
You've already started the process: you know that three sevenths of your subscriber base is probably safe. In your next run, make sure each of the remaining four groups is subdivided again. Each time you find a group that isn't a mole, you've reduced the potential mole list. Eventually, you'll have just a few accounts and you can silently drop them from your service (or confront them, your call).
There was also an earlier comment on spammer abuse of your proxies that I'd like to expand upon. While it asks you about proxying port 25, there's also the potential for abuse with respect to port 80/443: 419ers are increasing their use of proxies to hide their identity from free webmail providers so they can get free passes on sending spam. If you're better at cracking down on them (by e.g. blocking access to yahoo and hotmail on your proxies), you'll probably have better luck overall.
Maybe you can combine the above two ideas: groups of subscribers known to contribute to getting blocked will get domains whose proxies can't use freemail.
Use my userscript to add story images to Slashdot. There's no going back.
To quote Pauli, this is not even wrong. The central fallacy to this entire anti-capitalist rant is that there's some nearly perfect solution to spam that the "market" participants are conspiring to deprive the consumer of. This contention is, not to put too fine a point on it, as deliberately dishonest as similar claims about running cars on water or perpetual motion machines. Spam is an arms race, not a problem with a "solution" that we've just been too lazy to find. Once you dispense with that fallacious premise, this entire screed can be summarized as "I'm butthurt because Spamhaus/Yahoo/Hotmail blocked my spammy-but-not-spam-because-I-said-so emails and they won't take my call" all wrapped up in a "won't someone think of the children...err...dissidents!" bow.
Email account providers have as many automated, heuristic-based blocking techniques as blacklist based. Have you considered that you might have tripped one? Like...a domain that was registered less than a week ago, first mailing we got from them was a carpet-bomb, content we've previously spotted and identified as spam? I mean, it's a lot less sexy than claiming there's a villainous corporate cabal in the back room twirling their mustaches as they condemn some hapless dissident to a life of Internet ignorance, but it is possible.
So you fail to understand why running open proxies gets you black listed?
Hell they don't have to have a 'secret domain blacklist' he freaking mails them the domains to ban.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Not a spammer != Not facilitating spammers.
What do you think spammers do with a nice list of open proxies? THEY SPAM FROM THEM. He's distributing a list of spam producing sites and you're shocked that the list gets blocked?
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
If the guy does not want his stuff flagged as spam he should try sending e-mails with the same address people opted in for.
He is doing that - but the mail is being blocked purely because it mentions certain domains in the body of the message.
Need to type accents and special characters in Windows? Use FrKeys
Its impossible for him his lists content to follow CAN-SPAM laws ... he lists open proxies so people can not be censored ... do you think the spammers don't use them to get around blocks as well?
He facilitates spamming (not intentionally, but does none the less) so he's being blocked as such.
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
So somebody who wants to block all the proxies would have to subscribe several times in order to get the full list (it's not like multiple subscriptions would be noticed on a list with 420k recipients). I was wondering how effective this method was. Here are my results, in case anybody else was wondering:
With 20 subscribed addresses, the chance of getting the full list is 70%.
With 30 subscribed addresses, the chance of getting the full list is 93%.
With 40 subscribed addresses, the chance of getting the full list is 98.5%.
With 50 subscribed addresses, the chance of getting the full list is 99.7%.
With 100 subscribed addresses, the chance of getting the full list is 99.9999%.
Seems like this method of evading the censors is only effective if they're not smart enough to write a couple of simple scripts.
CJ
Ah, arrogance and stupidity, all in the same package. How efficient of you. -- Londo Mollari
I need a document from scribd (why that is blocked I'll never understand...)
The McAfee block thing tells me that Scribd is a piracy website. Scribd hosts user-uploaded documents, and some of those documents are copyrighted by various companies.
Have a nice time.
ragging on the article OP probably haven't got a clue that people actually use other methods than Twitter/Facebook to update users about their service. Why is everything have to be in the open social communication. If someone was tracking his twitter it would take a few seconds to block all the proxy domains.
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
These aren't regular proxy servers. They're web proxies. Just a regular web server running one of the standard web proxy scripts -- used to use cgiproxy, then phpproxy, now it looks like he's switched to Glype proxy. It's just a generic web server running a generic PHP script -- I fail to see how that is cause for a ban.
Good grief. Is Bennet Haselton still at it? I first crossed swords with him over a decade ago when I was Executive Director of Mail Abuse Prevention Systems, the famous or infamous, you pick, maintainers of the Realtime Blackhole List. Haselton should stick to what he knows best, and that is blocking of *websites*. I see his knowledge of blocking technology by email service providers is as dismal as ever. Hotmail and Yahoo have every right to block email they perceive to be spam. If they did not do so, their servers would crash under the barrage of email arriving every second. They spend countless expensive CPU cycles just *blocking* the spam from their networks. Is the system perfect? No. That is why both organizations have staff to deal with the "false positives" -- another needless expense for which you can thank the spammers. I know the anti-spam staff at both Hotmail and Yahoo. Members of their staff spend their entire days reviewing and responding to complaints about false positives, as well as tweaking the anti-spam filters. Forgive me if I don't shed any tears if the staff doesn't respond to Mr. Haselton's demands just because he stamps his feet. They're dancing as fast as they can. And you know what? Both Yahoo and Hotmail are *free* services! Imagine that! Do you know what else? There are many, many mailing list owners who will not accept subscribers with Hotmail or Yahoo email addresses *because* of deliverability problems at these two services. Both services are very well known by savvy mailing list managers for delivery problems. An entire industry of deliverability consultants has emerged to deal with email delivery problems at Hotmail and Yahoo. No, resolving email delivery problems at Hotmail and Yahoo is not for the faint of heart. I also see that Mr. Haselton has not lost his fondness of conspiracy theories. I seriously doubt that Yahoo and Hotmail are sharing their blocklists. They are competitors, after all. And suppose they did share information about their blocklists. What of it? It is entirely within their prerogative to do so. I would even say it represents efficiency for the two organizations to share their blocklists. But I'm reasonably confident that they don't. I believe Mr. Haselton has a fundamental problem with blocklists, period. I believe he has taken his philosophy at Peacefire about blocking web sites and is naively attempting to apply it to email. I base this belief on email exchanges and conversations I have had with Mr. Haselton. He does good work with Peacefire. I think he should stick to doing what he knows best and stop his crusade against blocklists. Until spam is eliminated -- which will never happen -- they are here to stay. And that is a Good Thing because email would be unusable otherwise. Nick Nicholas
We're talking about properly configured mail servers, no open relays, no backscatter, appropriate DNS, with opt-in recipients only and working, simple unsub options right in every email.
In how many languages are these unsubscribe options presented? I can't find the unsubscribe in a lot of Turkish mailing lists that I have ended up signed up to.
Hashcash is interesting here, in that the CPU time is mostly spent by clients
So how do you allow legitimate mail sent from pocket-sized, battery-powered mobile devices without allowing mail from spammers who have access to bots running on compromised always-on PCs capable of running hashcash on beefy GPUs? I was under the impression that Bitcoin mining was a form of hashcash, and GPU-accelerated Bitcoin mining trojans were spotted over a year ago.
Seems pretty easy to me...
If you speak English. I have ended up subscribed to plenty of mailing lists in Turkish, and I can't read Turkish to find their unsubscribe processes. Besides, some spammers have long been known to see a "reply with the word 'unsubscribe' in the subject" as a request to sign up for all the spammer's other lists.
How many RSS readers support authenticated feeds? And how would a site requiring authentication let a web-based RSS reader log in to retrieve the feed without letting the RSS reader impersonate the user in other ways?
as long as it ONLY GOES TO PEOPLE WHO VOLUNTARILY SUBSCRIBED
Addresses that voluntarily subscribe != people who voluntarily subscribe. Say someone cancels his Hotmail account, and later, someone else registers the same name. Who subscribed, and who continues to receive mail?
1) Before sending out the mass email, send a test email to your own gmail, yahoo and hotmail account. See what bounces back.
2) Either drop that domain and register a new one OR
3) Base64 encode the URL in the email, with the provisio "Run this through base64decoder.com to get the address"
UTF-8: There and Back Again
Using SPF is a bare-minimum for even a self-run SMTP server that only has a handful of users with no mailing lists. Anything larger needs DKIM.
One other thing Bennett can try is to have a pipeline of registered domains ready to be used. Each domain in each URL is scanned by spam filter, and young domains (via registration age in WHOIS or the daily registry-published zone-file which yahoo/hotmail/gmail all have) are more "spammy" than older domains, simply because spammers do the same thing here - register new domains and mass-email them out as URLs.
They call it spam. I call it advertisements.
Casteism
Well, gee, than MAYBE the summary should post clearly what he is doing. Instead of saying
"Well, I am not doing anything illegal and really really it's not spam"
There is NOT a single thing in that WHOLE post that says he's doing this for freedom. Nearly every spammer claims their list is double opt-in. So how the !@#$% is anyone to know. There is one link to Circumventor List - sorry, that's blocked by work. So it gave no info.
Don't frickin flame me....flame the idiots who post a slashdot entry without giving an iota of background info.