Krebs on Microsoft Suspending "Patch Tuesday" Emails and Blaming Canada

tsu doh nimh writes In a move that may wind up helping spammers, Microsoft is blaming a new Canadian anti-spam law for the company's recent decision to stop sending regular emails about security updates for its Windows operating system and other Microsoft software. Some anti-spam experts who worked very closely on Canada's Anti-Spam Law (CASL) say they are baffled by Microsoft's response to a law which has been almost a decade in the making. Indeed, an exception in the law says it does not apply to commercial electronic messages that solely provide "warranty information, product recall information or safety or security information about a product, goods or a service that the person to whom the message is sent uses, has used or has purchased." Several people have observed that Microsoft likely is using the law as a convenient excuse for dumping an expensive delivery channel.

Blame Canada!

[BenSchuarmer]

Seems like a no brainer

Re: Blame Canada!

[irbeginner]

Yeah. With their flappy heads and stuff.

Re: Blame Canada!

That "stuff" is called beady eyes. Turn in your SP card please.

Re: Blame Canada!

Hey! fuck you buddy.

Re: Blame Canada!

[sconeu]

On the plus side, though, they did give us Terrence and Phillip.

Email is expensive?

[fahrbot-bot]

Several people have observed that Microsoft likely is using the law as a convenient excuse for dumping an expensive delivery channel.

Wait, what? I thought Email was cheap, 'cause, you know ... spam.

Re: Email is expensive?

Welcome to corporate finance.

Re:Email is expensive?

[Penguinisto]

I thought Email was cheap...

It is unless you use Exchange server farms to send it. Then it's gawdawful expensive.

Re:Email is expensive?

Sending email is cheap. Paying off the people to get it to show up in people's inbox isn't.

Re:Email is expensive?

[freeze128]

Email requires bandwidth, and you can't distribute it through a CDN like you can with downloads. It's cheap for spammers because they anonymize their email, but security notifications say they come from microsoft.com. Now consider that you have BILLIONS of emails to send. That can get costly.

Re:Email is expensive?

[X0563511]

I can't imagine Microsoft has to pay Microsoft for Microsoft products. Accounting may want them to move the money around, but that's stupid and pointless because it doesn't actually cost them money to give it to themselves.

Re: Email is expensive?

[NatasRevol]

Somebody is accountable for bandwidth expense.

I doubt it's trivial at this level.

Re:Email is expensive?

[jeffmeden]

I can't imagine Microsoft has to pay Microsoft for Microsoft products. Accounting may want them to move the money around, but that's stupid and pointless because it doesn't actually cost them money to give it to themselves.

If the cost license doesn't get you, then the compute cycles, ram allocations, and administrators' salaries will... /troll

Re:Email is expensive?

[jeffmeden]

Email requires bandwidth, and you can't distribute it through a CDN like you can with downloads. It's cheap for spammers because they anonymize their email, but security notifications say they come from microsoft.com. Now consider that you have BILLIONS of emails to send. That can get costly.

Why can't you distribute it via a CDN, exactly? I mean someone like Microsoft has either direct control over, or actually runs their own CDN servers: firing up a SMTP service (to route mail based on proximity to destination MX) should be the easy part.

Re:Email is expensive?

You really have no idea how budgeting, and accounting and divisions and tax laws and outsourcing works. Got it. Now, for the rest of us, on the triplicate recieving end of notifications that we aren't going to patch till the weekend, this is still slightly good news. Breaking a stick off in some lawmaker while shrugging your shoulders is just funny.

Re:Email is expensive?

[weszz]

sure it would... the salary of the people doing the work to move money around and account for it.

A few months ago I put a request into the company I work for asking for a $20 piece of software (against policy to buy it and install it myself, gotta go through the process...)

Looking at the process, it would have cost thousands in employee time to document, review and approve the purchase of the $20 piece of software at all the different levels of management involved in it. it's insanely wasteful.

Re:Email is expensive?

[Stan92057]

its cheap for spammer because they steal others bandwidth/computers/servers. 100,s and thousands of automatically made yahoo accounts/google/MS and so on to send there junk. MS is pissed they can add in an email buy win 8 or buy from one of our trusted 3rd party partners. Which they already think its there god given right to spam. Thank AOL for this at the very end advertisements were in every email you got from a friend or business.

Re:Email is expensive?

[bob8766]

Combine this with the fact that they have all of the email infrastructure in place already to support message delivery for Hotmail and Exchange Online, and it does literally cost them almost nothing to deliver these messages which are a tiny drop in a huge ocean of mail they deal with. I'm inclined to think that email cost has anything to do with it.

Re:Email is expensive?

you know, i just don't get this...
*what* skeevy sites are 99% of you visiting that you have a *real* 'spam' problem ? ? ?
(NOT an 'imaginary' spam problem, which is that you get ANY non-zero spam at all...)

i'm online a lot, and while i visit a basic set of websites regularly, i also smoosh on other links all the time that take me to a lot of different sites...
why don't i have 'tons' of unacceptable spam like you guys -evidently- do ? ? ?
i have LOTS of stuff that i specifically signed up for, but other than that, i get hardly get any spam, and nothing that i can't get through with hardly an eyeblink...
i don't get it...
spam just *isn't* a 'problem', it just isn't...
(this is across a couple different email address, work and home, and i just don't get my inbox clogged with spam; what are you guys doing to get unacceptable amounts of spam ? ? ?)

Re:Email is expensive?

[X0563511]

Ah, derp - I didn't consider the resources involved, just licensing.

Re:Email is expensive?

[mythosaz]

Most spam is sent from "legitimate" ISPs on pink contracts.

Re:Email is expensive?

[freeze128]

You still need to get the recipient list and the body of the emails to the smtp nodes. If you're going to do that, hell, just send the email yourself.

Re:Email is expensive?

There are tons of e-mail sending services. I'm not sure how you define a "CDN" but they essentially serve that role. Companies like SendGrid have hundreds of hosts across multiple datacenters that are dedicated to relaying email for their clients.

Re:Email is expensive?

Everyone knows that Windows wasn't developed by Microsoft, but by Seattle Computer Products. MS is a software *reseller*, not a vendor.

Re:Email is expensive?

[stoborrobots]

Are your email addresses hosted with services like hotmail, gmail, or managed by competent admins who use services like spamtitan or mailcleaner? It's very likely you're seeing the results of a large number of people working very hard to keep the spam you receive away from your inbox...

Re:Email is expensive?

[lsatenstein]

Several people have observed that Microsoft likely is using the law as a convenient excuse for dumping an expensive delivery channel.

Wait, what? I thought Email was cheap, 'cause, you know ... spam.

I am getting emails from head-hunters, asking me if I will accept emails with their job offerings. So, headhunters can no longer send out reams of emails to me without my approval.

I wonder if that applies to cross border job offerings.

Re:Email is expensive?

[Shirley+Marquez]

Er, no. The original version of DOS was developed by Seattle Computer Products; later versions contained contributions from IBM and Microsoft. Microsoft Windows was Microsoft's baby all along, though it certainly got ideas if not code from OS/2 which was jointly developed by IBM and Microsoft.

Re: Email is expensive?

Given the scope of Azure, Office365, Hotmail, etc. I don't think bandwidth is the issue. It's not like they're using Magnetmail, ExactTarget, or some other marketing service to send out millions of plain-text PGP-signed emails.

Just visit the website?

https://technet.microsoft.com/en-us/security/advisory

Are calendars with recurring reminders a thing anymore?

You can even setup a cronjob or a windows task to open the website on a regular basis if you are extra forgetful or lazy.

Of all the things to bitch about with respect to Microsoft...

Re:Just visit the website?

[jeffmflanagan]

>You can even setup a cronjob or a windows task to open the website on a regular basis if you are extra forgetful or lazy.

Yes, because that's something normal people routinely do...or you're totally disconnected from reality, but just smart enough to realize that you're stupid, so you posted as an AC.

Re:Just visit the website?

[aevan]

So it's the new 30k oil change then?

Re:Just visit the website?

"Normal" people don't routinely read emails about Microsoft's security updates, either.

Re:Just visit the website?

[ganjadude]

normal people no, but to the people these are targeted to, it should be trivial to set up

Re:Just visit the website?

[Penguinisto]

https://technet.microsoft.com/en-us/security/advisory

Are calendars with recurring reminders a thing anymore?

You can even setup a cronjob or a windows task to open the website on a regular basis if you are extra forgetful or lazy.

Of all the things to bitch about with respect to Microsoft...

Because, you know, the typical small businesses are overflowing with IT-wizard-like employees who are masters at using these things, and hold the process in high enough regard to keep an eye peeled for patches.

Oh, wait, they aren't.

Re:Just visit the website?

[Shakrai]

Because, you know, the typical small businesses are overflowing with IT-wizard-like employees who are masters at using these things, and hold the process in high enough regard to keep an eye peeled for patches.

A business that can't be bothered to keep competent IT most likely has automatic updates turned on, even for their servers, thus the e-mails to them would be redundant. Businesses with competent and dedicated IT people are most likely using WSUS, which provides its own mechanism to get e-mails about newly available updates, as well as total control over when and where they're installed.

Conspiracies, please.

OK, what's the real reason for this? It's obviously not the law, and it's obviously not the cost associated with sending out e-mail - if you think ASCII e-mail is a bloated bandwidth hog, you should try watching the average HTTP transaction.

So, here's my conjecture: they are initiating a corporate policy of phasing out e-mail in favour of... something with more lock-in. Just like they wanted to show that they were so hip-against-the-desktop and in favour of walled garden app stoers that they tried to phase out the Start menu.

But what is the alternative they are planning over which they are prematurely beginning their masturbatory fantasy of full control?

Re:Conspiracies, please.

[datapharmer]

RSS.

Re:Conspiracies, please.

Specifically,

Basic Alerts: http://technet.microsoft.com/en-us/security/rss/bulletin
Comprehensive Alerts: http://technet.microsoft.com/en-us/security/rss/comprehensive
Security Advisories Alerts: http://technet.microsoft.com/en-us/security/rss/advisory
Microsoft Security Response Center Blog Alerts: http://blogs.technet.com/b/msrc/rss.aspx

Re:Conspiracies, please.

That's not a reason to abandon e-mail. Many think RSS is a horrible kludge, me included. And some just prefer e-mail.

Re:Conspiracies, please.

[tepples]

RSS and other HTTP documents can be cached on a proxy at the border. Mail can't so easily, especially with spam filters breaking large Bcc lists. If you prefer mail, write a proxy that polls RSS feeds and sends mail when one changes.

Re:Conspiracies, please.

especially with spam filters breaking large Bcc lists

Limiting number of RCPT TO lines is a fucking awful way to handle spam, and explicitly discouraged by RFC 2821:

              The minimum total number of recipients that must be buffered is 100
              recipients. Rejection of messages (for excessive recipients) with fewer
              than 100 RCPT commands is a violation of this specification. The general
              principle that relaying SMTP servers MUST NOT, and delivery SMTP
              servers SHOULD NOT, perform validation tests on message headers suggests
              that rejecting a message based on the total number of recipients
              shown in header fields is to be discouraged. A server which imposes a
              limit on the number of recipients MUST behave in an orderly fashion,
              such as to reject additional addresses over its limit rather than
              silently discarding addresses previously accepted. A client that needs
              to deliver a message containing over 100 RCPT commands SHOULD be
              prepared to transmit in 100-recipient "chunks" if the server declines to
              accept more than 100 recipients in a single message.

In any event, consider ten million subscribers. That's 100,000 copies pushed out per month. If each e-mail were 200k in length, we're talking 20 gig a month. if you think that's a significant dent in Microsoft's bandwidth budget, you're crazy.

Re:Conspiracies, please.

[X0563511]

I don't suppose there's a way to get a feed for only the products you care about?

Re:Conspiracies, please.

[tepples]

Under a strict interpretation of that RFC, how should filtering of abusive mail be accomplished at all?

Re:Conspiracies, please.

Please highlight specifically what in the RFC you're referring to.

Also, if you want, assume the unrealistic worst case scenario: 1 mail per RCPT line, so we're now talking 2 terabytes a month. I, as an individual of reasonable means can afford that with beer money, and I don't have any peering agreements with anyone.

Re:Conspiracies, please.

200k? Their GIF header/footers are probably bigger than that.

10M subscribers? Probably 10x that amount.

Assuming only one email sent per month? Ludicrous.

Re:Conspiracies, please.

1) Pictures don't have to be embedded in HTML e-mail;

2) Anyway, didn't even realise you could receive security alerts in HTML format. Plaintext, please. In fact, the idea of an HTML e-mail full of pictures for distributing security advisories is pretty horrendous, so if they want to switch to plaintext-only, that's fine with me;

3) OK, 10x, and 10 RCPT lines per e-mail. That's 2 TB/month. Still spare change for me, let alone Microsoft;

4) For the monthly security alerts, mails are sent, on average, I would say... once a month. If you include out of band updates for operating system software, twice a month.

Re:Conspiracies, please.

[nabsltd]

Limiting number of RCPT TO lines is a fucking awful way to handle spam, and explicitly discouraged by RFC 2821:

All that says is that you should not reject the message based on the number of recipients. You can, however, temporarily reject (using a 4xx status code) recipients after some set number. Any good MTA will retry the tempfails.

I currently have a variation of this in place where any e-mail to a "special" address (like postmaster or webmaster) can't have any other recipients at my mail server. Right now, it's a log-only rule, and hasn't been triggered very often, but I wanted to make sure I don't reject or filter messages to those addresses, but I also don't want them to be used to allow unfiltered spam to be sent to everyone else in the domain.

OTOH, if the e-mail is a bounce (defined as from ""), I do reject it if it has multiple recipients, directly in violation of the RFC portion you quote. The is because a bounce is to notify the sender that something went wrong, and it's impossible to have more than one sender.

Re:Conspiracies, please.

For a real security notification email, it must be an exploit itself, to test antivirus scanners.

Solitaire is to blame not Canada

The average game lasts three minutes, three games a day. That's about 10 minutes lost productivity a day. 200 days a year that's 2000 minutes, or 34 hours a year. That's an entire work-week (FR) spent playing solitaire, each year. Blame it on the rain? Canada? No! Blame Microsoft!

Re:Suck my dick

[dysmal]

Clearly school is out for the summer and the kiddies are bored.

they might be right.

[nimbius]

for the windows crowd: Unix Linux and BSD sending and receiving an email is pretty mundane business (even to millions of people.) Sendmail begat postfix, which tidied up the nuts and bolts of SMTP in the land of penguins neckbeards and that cartoon blowfish you occasionally see.

sending email from Exchange is orders of magnitude more complex by the nature of Exchange as a monolithic communications product. Because exchange does scheduling, calendaring, contacts, unified messaging, failover management, automatic load balancing, remote configuration management, archival, database storage, advanced RBAC permission delegation and cool stuff like shadow redundancy, outlook servers themselves have become increasingly divorced from the RFC for the SMTP. It isnt a bad thing for businesses that rely on being constantly connected, but it does mean the simple act of sending an email means relying on what for us would be an OS in itself. Exchange 2013 requires 2 gigabytes of free disk and recommends 16 gigabytes of free RAM. To compare and contrast, many in the BSD community can handle millions of messages per day with 2 gigabytes of ram and 1 gigabyte of free disk. that includes storage for the message being sent.
I think microsoft is doing this because exchange wasnt designed to just "send an email" anymore. it expects interactivity, redundancy, and universal access to the information being sent by default. the *nix solution runs hard and fast, but as an SMTP implementation requires significantly more engineering to provide the same level of service and feature set as outlook.

Re:they might be right.

[Richard_at_work]

You don't need to install Exchange to handle mail on a Windows box, the included SMTP, POP and IMAP services work fine.

Re:they might be right.

Oh, you *nix kids and your fancy email implementations....

Why on earth would they use Exchange to do such a task? Exchange is a product aimed at corporate users, not customers. They would just use some flavor of their SMTP service and a program of some sort to pump the messages into it.

Also, no matter how many sendmail servers you have you can't get around the fact that egress still takes bandwitdth. And they are working at a little higher scale than the "watch me nerd out more than you" listserv.

Re:they might be right.

Bullshit. This is exactly the type of real-world environment they should be load testing Exchange with. If Exchange can't send email efficiently what good is it? This is an even better environment than REPY ALL because you have real servers across the planet that may greylist you, timeout, etc.

Microsoft should have no issues tuning for this environment.

Re:they might be right.

[Dishevel]

Oh, you *nix kids and your fancy email implementations....

Why on earth would they use Exchange to do such a task? Exchange is a product aimed at corporate users, not customers. They would just use some flavor of their SMTP service and a program of some sort (Perl. Perl fixes everything.) to pump the messages into it.

Also, no matter how many sendmail servers you have you can't get around the fact that egress still takes bandwitdth. And they are working at a little higher scale than the "watch me nerd out more than you" listserv.

Re:they might be right.

I just read this a couple days ago, and /. editors, and the submitter got blasted for coming up with imaginary conspiracy against MS.

Laughable how many people believe MS is the savior of everything, and never makeup bulls**.

Re:they might be right.

[Just+Some+Guy]

Also, no matter how many sendmail servers you have you can't get around the fact that egress still takes bandwitdth.

I just got a large, image-filled email from a vendor, and it came out to 20KB (including headers). Let's assume Microsoft's announcement emails are that huge, and that Microsoft sends out 100,000,000 of them. Let's further assume that Outlook is smart enough to batch recipients to the same domain with a conservative 10-to-1 reduction in number of unique messages sent (probably closer to 500-1, given the number of Gmail users you can collapse). That math works out to about 1000 gigabit ethernet seconds, or about about 1 second of AWS's estimated bandwidth-time, or about 3 seconds of Azure's estimated bandwidth-time, or about a second of traffic at a major porn site. And that's with hugely conservative worst-case estimates for all the numbers involved.

Egress doesn't take nearly the bandwidth you might think it does.

Re:Happy Monday from The Golden Girls!

[jargonburn]

I should know better than to feed the trolls....but I just don't get this "Happy Monday from The Golden Girls" thing.
I've seen it a few times on various articles (maybe not always "Happy Monday"). I guess I could Google it, but that seems like a lot of work for something as unimportant as this.
*shrug*

Twitter? Windows Update? Fools

Is there no reason they couldn't just use Twitter?

And besides, isn't this solved by Windows Update? Why are they sending email at all? Shouldn't Windows Update just tell you 'Hey, Idiot, you have a patch to install' like every other piece of software does these days?

Haven't they heard about Help-->About-->Check for Updates?

Amateurs

Re:Happy Monday from The Golden Girls!

It's supposed to by 'confidant' not 'cosmonaut'

It is Canada's fault!

Canadian IT head here. Just spent the morning reading over the law that this is in knee-jerk reaction to. I think Microsoft's reaction is warranted. According to the new law, a company can be charged up to 10 Million dollars for an infraction (read single email) of un-solicited email. The law is poorly formed, and not well thought out, as well as lengthy and vague enough to create a broad swatch of culpable people.

What it boils down to is this. If you send an un-solicited email to someone you have not done business with in the last 2 years, and they have not opted in before and, and they believe your email to be spam, boom, you are culpable. Also if you install software on someone's computer without explicit, but easy to understand examples of what the software is/does you can also be held culpable.

All email a company produces in Canada form this point on have to include a link in the bottom or ability to opt out of all future email.

Canadian businesses, no matter how small, are beholden to this law. Small companies are going to fold left and right because they cannot afford to comply wiht the new regulations, and those that don't try to comply run the risk of paying a huge penalty.

In my personal opinion this is a grab at trying to make Canada Post relevant again (and financially viable). At the moment bulk mail is the only thing keeping Canada post afloat, and if you couldn't send an email to try to drum up business, you can always send a mailer...

While anti-spam law is well intentioned, in it's current form it is so broken it should not have seen the light of day.

Re:It is Canada's fault!

[XanC]

Thank you!

The summary makes me want to laugh and cry at the same time. So the people who wrote the law don't think there are any costs of compliance? I'm sure that's not news. That right there is a HUGE problem with government solutions.

Re:It is Canada's fault!

Seriously?

You think the anti-spam laws which people have asked for are a ploy to boost Canada post?
Conspiracy theory much?

"Canadian IT head here. Just spent the morning reading over the law that this is in knee-jerk reaction to. "

So are you speaking on behalf of all Canadians, as in you are the head of IT for Canada?
Is the fact you spent the morning reviewing a complex law important to your point?

Were you part of the review process for CASL and therefor are speaking from authority/direct involvement?

Let me guess, your company sends what can be considered "spam"?

Re:It is Canada's fault!

Nope, neither I nor my company send the spam. No I wasn't on the CASL. Just trying to give a perspective from someone in the IT field who's clients are about to have to change their business practices, not just the spammers but ALL business using email as a point of contact with their clients AT ALL. So as an IT person in Canada who does contract work with small businesses my load is about to significantly increase, and my clients profitability (regardless of whether they use email to self promote) is about to dive. For some, not using email at all, will be a better business practice than the cost of compliance.

I am not saying the goal of reducing spam is bad, in fact I agree an opt in system would make more sense, but unfortunately businesses have had this law sprung upon them, with little warning, and the penalties for infraction are huge. Of course people want less spam, but, since the law became public people have been extra-inundated with email from everyone they have ever done business with asking them to opt-in to all future email correspondence.

On the Canada post thing, not I don't really believe that is the main drive behind the move, but if you read through the law, it certainly seems like it is trying to shut down the major competition. Even if that isn't the intent, that will be a major outcome. That's why I thought it relevant.

Re:It is Canada's fault!

What it boils down to is this. If you send an un-solicited email to someone you have not done business with in the last 2 years, and they have not opted in before and, and they believe your email to be spam, boom, you are culpable.

Good! That is the definition of spam. Spammers should die.

And this Canadian law is completely irrelevant to most mailing lists.

To get on a mailing list, you have to submit your email address, then they send a confirmation message, then you have to click the link in the email to confirm that you actually want the messages.

That is clear consent. And many mailing lists require you to reconfirm every 6 months or so.

Also if you install software on someone's computer without explicit, but easy to understand examples of what the software is/does you can also be held culpable.

What, you think just because you paid for the computer you think it belongs to you? The computer belongs to apple/google/microsoft and they can install software on it whenever they feel like it.

All email a company produces in Canada form this point on have to include a link in the bottom or ability to opt out of all future email.

Pretty much all email from responsible companies have been doing that for years.

So in summary, there is nothing in this Canadian law that applies here.

As a "Canadian IT head", you're an idiot, or a troll.

Re:It is Canada's fault!

Cost of compliance? How hard is it to provide a *real* opt-out ability in a commercial e-mail, rather than one that gets ignored or that guarantees you get onto the "more spam" list because it is confirmation the mail is read by a human? If you can't support the ability to do tracking to figure out who does and doesn't want those e-mails, then you shouldn't be in the business of sending out mass e-mail AT ALL. If you can afford to send out mass e-mails, then invest in the tools to track recipients or !@$#%! off. If you can't afford the cost of compliance to provide your business e-mail recipients with a choice about receiving further messages, and do it diligently, then don't send the message.

There are also clear exceptions for matters of warranties, security updates, and the like.

And to keep Canada Post relevant? It is to laugh. It is because people are fricking fed up with spam, and said so loudly, frequently, and angrily to regulators years ago. It was a concession to give plenty of time for businesses to figure out the technical process. The last couple of months I've already started receiving messages with the proper opt-in links at the bottom, and I've already opted-in to a few of them from businesses that I deal with regularly. I'm also glad for the ones where I haven't opted-in, which will hopefully treat my lack of response as a correct sign that I don't want to receive more of their messages. That's a lot less hassle then trying to contact them all individually and say "no thanks", or running the risk that any response is only going to get you back on the list. The rest of the ones that don't even provide that choice can burn in spammer hell for all I care. I have ZERO sympathy for them.

Re:It is Canada's fault!

[GrubInCan]

Modded Informative?

This guy is informative: http://www.michaelgeist.ca/con...

You'll note that "The law also includes a three-year transition period that ensures that as long as an organization already has implied consent, it has until 2017 to upgrade to an express consent"

Re:It is Canada's fault!

[Mashiki]

"Upto" is the key wording. Remember this is the key point in case law, especially for setting abuse precedents. And it's sure not going to cause small companies to fold left and right. If it does, the business is already doing something wrong, and thriving off of bulk spam in the first place. What this is, is an extension of the DNC, and since we're moving in a direction of tossing mail to the wind--especially with companies now charging between $1 to $8 for a bill to be physically mailed, I'm sure you can see where there is a problem.

But let's be realistic, if Canadapost can operate Purolator with a massive positive income, where are they going wrong at operating their letter carrier service. If anything, their latest stunt of pushing people to corner-boxes and no home delivery is what's simply going to kill them faster.

Re:It is Canada's fault!

[cdrudge]

What it boils down to is this. If you send an un-solicited email to someone you have not done business with in the last 2 years, and they have not opted in before and, and they believe your email to be spam, boom, you are culpable.

Easy solution: don't email people that you don't have reasonable proof that they explicitly opted in sometime in the previous 2 years. I can't think of too many situations where a 2+ year old lead would be valuable from a marketing standpoint without a more recent business relationship.

Re:It is Canada's fault!

[ZombieBraintrust]

Thats the thing. Microsoft did not have implied consent. Thats was this announcement means. They likely have no record of who consented to be on this mailing list. I bet they simply have a list of of email addresses in a db somewhere. When you ask to be on the list they add you and then delete the email. When you ask off they remove you and delete the email. If they want to do an maililng list they have to start from scratch and keep better records.

Re:It is Canada's fault!

What it boils down to is this. If you send an un-solicited email to someone you have not done business with in the last 2 years, and they have not opted in before and, and they believe your email to be spam, boom, you are culpable. Also if you install software on someone's computer without explicit, but easy to understand examples of what the software is/does you can also be held culpable.

Why would Microsoft be sending me security updates if I didn't ask for them? Is Microsoft buying lists of e-mail address that fell off the side of a proverbial truck from shady characters?

All email a company produces in Canada form this point on have to include a link in the bottom or ability to opt out of all future email.

IIRC, the same is true of the CAN-SPAM Act that the US passed in 2003: there needs to be an IRL address in the message, and an unsubscribe mechanism as well.

Re:It is Canada's fault!

[Garfong]

Based on the number of "please click here to continue getting our newsletter" messages I've been getting in my inbox, other companies don't seem to think the sky is falling.

Re:It is Canada's fault!

[ZombieBraintrust]

That is exactly what Microsoft has done. They likely have poor records for this massive list. The list also no longer serves a marketing purpose as they can't include advertisements for services and still be exempt. So they canned it. RSS was the cheapest replacement.

Re:It is Canada's fault!

[ZombieBraintrust]

It isn't about reality. It is about what Microsoft can prove in court if you decide to sue them. Can they prove to a judge or jury that you consented to the email you recieved?

Re:It is Canada's fault!

If they want to do an maililng list they have to start from scratch and keep better records.

Flat out wrong.

Microsoft could just send an email to everyone asking them to click to confirm that they still want to receive the messages. Microsoft could have been doing this in the emails they sent over the last several months.

The LISTSERV (http://en.wikipedia.org/wiki/LISTSERV) email list software package has had this feature for more than a decade. It would be trivial for Microsoft to do this if they wanted to.

So, there is some ulterior motive here, and it has nothing to do with this anti-spam legislation.

Re:It is Canada's fault!

[cdrudge]

They could have easily complied with the law by sending out a non-advertisement security-related email saying that if they wished to remain on the mailing list they would need to explicitly "opt-in" to the list again, (re)confirming their desire to receive the emails. At that time they could either specify that the newly reconfirmed opt-in list might receive security AND/OR advertisements, or make the list security only without plugging any of their products/services.

Re:It is Canada's fault!

[Arker]

"What it boils down to is this. If you send an un-solicited email to someone you have not done business with in the last 2 years, and they have not opted in before and, and they believe your email to be spam, boom, you are culpable."

Sounds good to me. If you are spamming you should be culpable. I'd prefer to see public hanging brought back as the punishment, but failing that, a fine big enough to matter is not a bad idea.

Re:It is Canada's fault!

[ZombieBraintrust]

I think that is what they have done. They sent out an email with instructions on how to get the security updates. The method they are using, RSS, gives you control over how you recieve those updates. With the new approach microsoft isn't keeping track of your email address or personal information. They are not using some propietarty bs either. RSS is a standard supported by lots of companies.

Re:It is Canada's fault!

Oh gosh, the sender of e-mail might have some responsibilities! What, oh what shall we do? The customers keep forcing themselves upon us and they won't take no for an answer! We were forced at gunpoint to gather e-mail addresses, generate elaborate marketing systems and campaigns, and spend millions upon millions of dollars pestering those customers! And some of them aren't even our customers!

I get it. You want opportunity without any responsibility. If someone in marketing does something stupid, you want to walk away from their actions scot free. And of course for that $10 million liability to kick in, marketing (or elsewhere, let's not be naïve) has to do something really, horrendously, catastrophically stupid.

And you either want to publish no unsubscribe mechanism, or publish but ignore it. I mean really, simply publishing a working unsubscribe link would address 99% of your liability, but that isn't good enough, is it?

Re: It is Canada's fault!

Any business, no matter how small, that sends spam cannot die soon enough.

Re:It is Canada's fault!

[tlhIngan]

Canadian IT head here. Just spent the morning reading over the law that this is in knee-jerk reaction to. I think Microsoft's reaction is warranted. According to the new law, a company can be charged up to 10 Million dollars for an infraction (read single email) of un-solicited email. The law is poorly formed, and not well thought out, as well as lengthy and vague enough to create a broad swatch of culpable people.

What it boils down to is this. If you send an un-solicited email to someone you have not done business with in the last 2 years, and they have not opted in before and, and they believe your email to be spam, boom, you are culpable. Also if you install software on someone's computer without explicit, but easy to understand examples of what the software is/does you can also be held culpable.

And you know how people fix it? They dump their mailing lists and ask people to sign up again.

Yes, I've gotten about 40 of those emails asking me to sign up or bye-bye. Good! I re-signed up for 2 honest ones I really couldn't live without. And out of those 40 of them? Well, most of it was list sharing since they happened at work.

Sure, it means your 30,000+ member mailing list gets trolled down to 1,000 or less. But that's a GOOD THING. A lot of people gave up unsubscribing years ago, and I'm sure as companies merged and separated that mailing lists got munged up.

If you're so worried about it, all you need to do is dump your complete mailing list collection and start anew. Then implement double-opt-in, and expiry dates in your mailing lists.

It's not hard. At our company, we simply sent out one last email that said "Please sign up for our mailing list" and detailed that because of the law, we're deleting the entire mailing list and starting afresh, and if you want to receive the emails, just click to join and double-opt-in. Put in a 2 year timer on them to ask them to do it again in 2016, and you're done.

If you're worried about emailing someone you haven't done business in two years? Don't put them on your mailing list EVER. Have a checkbox that simply invites them to your mailing list.

It's not hard. Dump your current list. Add a timer to every email address on when they signed up. Then do double-opt-in and you're done.

Whine whine whine, they gave me an email on the order form and I can't market to them!? Good. If they wanted, they could sign up! They gave you an email address for the order to send them status updates on the order not for putting on the "what's hot this week" list.

All email a company produces in Canada form this point on have to include a link in the bottom or ability to opt out of all future email.

What's wrong with that? If I don't want your email, I most likely don't want all your email. I don't care for your weekly specials, your yearly specials, your weekly sales on computer parts, your email catalog of discounts, etc. One click should get me out of all of those. And no BS "your request will be handled in 3-4 weeks" - this is the 21st century. If you can add me in 10 seconds, you can remove in 10 seconds. You don't have to send it ot the CEO to approve.

Companies are whining because the rules mean they can't do a lot of crap anymore. I'm sure most of the people on that Microsoft list no longer work in a way that makes it relevant anymore to them, they were just lazy to remove themselves and clicking delete is a lot quicker than trying to find out how to unsubscribe.

Hell, I bet it also removes a lot of auto-spam from the list. Remember why most mailing lists end up on antispam lists? Because it's easier to click the "Spam" button on your email client, GMail, Hotmail, etc.

So no more adding me to your marketing mails because I happened to place an order with you for one item only you sell in Canada, that I might need again in 5 years.No more unbounded email l

Re:It is Canada's fault!

[tlhIngan]

I am not saying the goal of reducing spam is bad, in fact I agree an opt in system would make more sense, but unfortunately businesses have had this law sprung upon them, with little warning, and the penalties for infraction are huge

The law was enacted in 2010. In fact, it was proposed back in 2009.

I know, 4 years is "not enough time" I mean, Microsoft has been telling people XP's support would end in April 2014 for years now and everyone STILL got caught off guard.

Everyone had years to prepare. Of course, the problem is most businesses, unless the deadline is tomorrow, will put it off.

You can tell everyone that the price of gas will go up tomorrow by 5 cents, and everyone will gripe that the price of gas went up by 5 cents the next day!

Perhaps it's just better to spring things on people because obviously giving people plenty of advance notice just results in them panicking at the last moment anyways.

Fail whale

[tepples]

Is there no reason they couldn't just use Twitter?

Using RSS instead of Twitter allows Microsoft not to rely on the single point of failure that is Twitter Inc.

And besides, isn't this solved by Windows Update?

For one thing, having thousands of PCs in a company individually download multi-megabytes updates from Windows Update wastes the bandwidth compared to use of WSUS. For another, some administrators prefer to test Windows patches before deploying them because Windows patches some are known to break programs that inadvertently rely on underspecified behavior.

Re:Fail whale

Fair enough, both excellent points. I was not thinking of corporate clients (I was instead focusing on single user use-cases), and also realize that yes, Micro$oft wouldn't want to rely on another company to disperse communications. But still, this smells, since the legislation specifically has a loop hole designed to protect companies informing customer's about software updates via email.

Any periodic e-mails should be RSS feeds

[iamacat]

This law or not, any recurring e-mails are spammy. E-mail should be reserved for one time interactions like order confirmations and of course personal communication. With RSS feeds, user can unsubscribe, suspend and resume viewing updates at their convenience.

Re:Any periodic e-mails should be RSS feeds

What the fuck is RSS?

Re:Any periodic e-mails should be RSS feeds

[jbmartin6]

Why is it better to have to maintain a whole separate infrastructure of servers, protocols, and clients, when basic email does the job just fine? I can unsubscribe, suspend, and resume at my convenience now, I don't see why we would need another delivery channel. You could just as well say that interested parties should just go to the website when they want to know something.

Re:Any periodic e-mails should be RSS feeds

[ZombieBraintrust]

What the fuck is RSS?

RSS is just markup. A simple rss feed is just a an xml document you host like a web page that contains a list of items. Each item having a title, description and pubDate with rss as the root of the document.

Re:Any periodic e-mails should be RSS feeds

What the fuck is RSS?

I think it's some kind of repetitive strain injury.

(And on the off chance that you're serious, let me Google that for you.)

Re:Any periodic e-mails should be RSS feeds

[DarkOx]

Its not another channel its just a XML document on a webserver (pretty sure MS already runs a number of those)

Re:Any periodic e-mails should be RSS feeds

[Just+Some+Guy]

With RSS feeds, user can unsubscribe, suspend and resume viewing updates at their convenience.

With email subscriptions, users can unsubscribe, suspend, and resume viewing updates at their convenience. Email is also vastly more bandwidth and power friendly than continually polling to ask "have anything for me yet? have anything for me yet? have anything for me yet?".

An email newsletter that a user can subscribe to and which honors the "unsubscribe" link it at the bottom is identically as spammy as RSS.

Re:Any periodic e-mails should be RSS feeds

[ZombieBraintrust]

Email is also vastly more bandwidth and power friendly than continually polling to ask "have anything for me yet? have anything for me yet? have anything for me yet?".

That really depends on how you access email and how you access rss feeds.

Re:Any periodic e-mails should be RSS feeds

But won't be. RSS is declining. Google Reader was cancelled due to the decline. I love RSS but hard to justify using it going forward considering how few mass-market people use it.

The law is to blame, not MS.

MS's emails may not be exempt, for example a security notice for an XP security hole suggesting users to upgrade from XP to windows 8, even if it's only a time component of the email, would not be exempt, and they could face a $10 million fine. Per email. Furthermore, the onus is 100% of MS to have documented proof they had consent to send the email if they are charged.

The law is horrible, how many spam emails are actually coming from Canadian companies? Less then 1%? It will be legitimate businesses that get hit with this, meanwhile it's business as usual for actual spammers.

Re:The law is to blame, not MS.

why do you think the law targets "canadian companies" sending the spam?

International law is complex but often has provisions to allow some stuff like this to fly (spamming canadians in violation of canada laws).

Timeline

[ZombieBraintrust]

The Canada Anti Spam Law requires very specific opt in from the people recieving emails. It requires that certian content not be in the email. It has fines. Microsoft is going to have to train its people and change its templates. It is going to have to get its emails approved by Canadian lawyers. It will take time for it to get in complience of the law. But the deadline is tommorow. So they will RSS feeds instead. It is very easy for an expert to say the emails are exsempt to the press. But I bet if you showed them a few emails they would find a few problems. Things Microsoft needs to fix or get fined.

Re:Timeline

[taustin]

Or maybe this is Microsoft admitting that they, as a corporation, are simply incapable of passing up an opportunity to shove advertising down people's throats, largely because they have no desire to do so.

Re:Timeline

Or maybe this is XYZ admitting that they, as a corporation, are simply incapable of passing up an opportunity to shove advertising down people's throats, largely because they have no desire to do so.

Replace XYZ with your favorite villain company: e.g, Google, Apple, Facebook, Sony, Netflix, Amazon, Microsoft, etc

Re:Timeline

Or maybe you're a fucking moron that shouldn't be allowed to breed.

Re:Happy Monday from The Golden Girls!

[ganjadude]

no more work than posting that post. on the same note im with you, i just dont get it. now sharks with frickin lazers on the other hand....

NSA...

Probably told MS not to tell security IT's about new updates so they have more time to exploit them.

mod up

[ganjadude]

interesting take on things, and i can see why they would be concerned. a 10 million dollar fine for a single email? if they are sending tens of thousands of them out, even 1 goes to the wrong address and bam. thanks for the insight, wish i had mod points

Re:mod up

Read the rules, it is a simple three point process

http://fightspam.gc.ca/eic/site/030.nsf/vwimages/ThreeThings_toThinkAbout_large-eng.jpg/$file/ThreeThings_toThinkAbout_large-eng.jpg

Re:mod up

And sadly, intent, specifically for this law, does not matter (since that was found too difficult to prove). Even a company sending a mail to the wrong address by mistyping it can get the fine.

Re:mod up

This was not an easy link to find, thanks for the heads up, and while this does simplify the ruling greatly, it is, according to the fine print "intended to provide a plain language explanation of SOME of the requirements under the act".

At a potential 10 mil per mistake are you comfortable with SOME?

Re:mod up

how was it hard to find?

I used google for the term "CASL", I then clicked the first link (GC site) and the info is on the bottom of the page.

As for "comfortable with SOME"...
If i was responsible for sending "mass email" i would follow this law more closely, and have an opinion from someone with authority to provide one.

PS - you know the draft for this came out in 2011 right?

Re:Happy Monday from The Golden Girls!

[mjm1231]

I have no desire to learn more about any Golden Girls fanfic where Bea Arthur has retired from the Russian space program, either.

Re:Happy Monday from The Golden Girls!

Being that Bea Arthur looks a lot like like Brezhnev, cosmonaut is appropriate here.

Great for RSS adoption.

[mbourgon]

I automated this a while ago, using Powershell to query the RSS feed, pull out the details, and send the proper parties an email if there's a new message relevant to us.

It probably seems like reinventing the wheel, but allowed us to split out the emails to relevant for each group, rather than one monolithic email. Which meant each affected party was liable to actually read it.

Overall though, anything that shows how useful RSS is, is a good thing.

Canadian here...

Most of my contacts have already sent out message of the type "new law coming, please reply to opt-in".

My guess is that Microsoft was asleep, left it too late (law goes into effect tomorrow, Jul.1) and decided to skip it rather than trying to hustle.

Email expensive?

[khb]

"dumping an expensive delivery channel"....

Aside from the $CDN potential fines, just how is email *expensive"?

Re:Email expensive?

It is about $2-$10 / 1000 mails. For larger quantities that could go down to $0.50 or $0.25. But there is an inherent cost to:
- optimize delivery speed (not too fast, not too slow)
- respond to complaints or abuse
- handle bounces
- watch out for domain troubles (e.g. a large domain being offline for longer periods)
- required hosting of application: handle clicks, image hosting, changes of profile (remember a mailing results in a self inflicted ddos)

Maybe Hotmail has some of this stuff organised already (but that does not make it free). Mailings like that are large for every shop.

Re:Email expensive?

Those numbers are chicken feed. suppose they are sending 100 million out every month (and I bet there rate is way way below your $.25 per 1000), but lets use that number. That only comes to $25k a month, they would be spending exponentially more than that on just preparing the patches and vetting the communication.

RSS is the right way!

[DarkOx]

RSS is the right way. Distributions lists for notifications of this type have been done with mail historically because it was there not because it was a good medium.

Consider if you use e-mail for this sort of thing you need to take care of several functions e-mail does not itself take care of:
*allow people to subscript
*allow people to unsubscribe
*scrub you mailing lists for dead addresses.

Your mail servers might be stuck with large disk queues waiting on dead domains where the MX server does not answer etc too because well that his how mail works. All of these things are not as simple as they first appear. Do you remove an address the first time you get a 500 error? Because some admins server sends an improper error code, then a bunch of users start screening about how they signed up and never get their news letter.

With RSS you just put the link out there, you don't have to manage your subscribers. You don't have to provide any unsubscribe function users can take care of themselves. You if anything from your web logs get better feedback about how often the messages are viewed because you can assume people pulling the feed actually receive it and that its not just getting filtered off to junk/spam folders.

FOSS Calendaring, Contacts etc.

[Dr.+Evil]

Most FOSS people I know just gave up waiting for good calendaring/contacts etc, and use Gmail and Android.

Real world spam

[sjbe]

Wait, what? I thought Email was cheap, 'cause, you know ... spam.

No, you're confusing email with the US Mail spam delivery system. The whole thing is subsidized by spam you can actually throw in the trash can.

Re:Happy Monday from The Golden Girls!

it's COFFEE POT, nothing else makes sense.

I applaud this action

[Dishwasha]

How easily people forget and get in to a comfort zone. When Microsoft first announced switching to a patch Tuesday email, everybody on /. criticized them for waiting up to a week to announce 0-day vulnerabilities and patch information.

A once a week email is close to worthless. It's better to leave vulnerability notification to people who are serious about it and stop wasting Internet bandwidth, cycles. and storage.

Re:Happy Monday from The Golden Girls!

[jargonburn]

True! On the other hand, by posting on Slashdot I can try to engage the community!
It's all about teamwork!

Also, knowingly responding to an obvious troll can itself be a subtle form of trolling ;)

Sorry

[bregmata]

As a Candian I... uh....

I'm sorry.

Cry More Spammer!

[citylivin]

"Canadian businesses, no matter how small, are beholden to this law. Small companies are going to fold left and right because they cannot afford to comply wiht the new regulations, and those that don't try to comply run the risk of paying a huge penalty."

You're an idiot. I have been getting email's all month from like every vendor I have ever dealt with, every company, with an email saying "hey there, please stay in contact with us". So it's hardly killing businesses left and right as you claim. Or even is it really that complex, just judging by the amount of small vendors emailing me. Some don't even use list management, but have an email you can send a message to to confirm. To most I am just ignoring it, because hey, I never did give you permission to email me forever because i bought some product off you 5 years ago! To some I have responded that its OK to email me. This is a great law! That is exactly what I expect from companies.

For our organization, we have been doing double opt in for YEARS. So there was very little to do for us to become compliant.

In short, if you are the "head of IT" for a well run business, you would have 1) already made people opt in for communications years ago, possibly implementing even double opt in and 2) already provide legit unsubscribe links and have very little to do technically to be complaint in this law. If you were doing things properly that is.

Of course if you are one of those businesses that was doing things wrong for years and are now whining about it, well what can I say.

Time to start doing a better job and managing your email lists properly.

DKIM-Signature

[tepples]

I was referring to "The general principle that [...] delivery SMTP servers SHOULD NOT, perform validation tests on message headers". Plenty of spam filters rely on message headers. What do you think DomainKeys Identified Mail is?

Re:Twitter? Windows Update? Fools

Is there no reason they couldn't just use Twitter?

Because their target market is not preteen girls. Professionals need to see these notices, and Twitter has an abysmal penetration among educated professionals. I know at the software development company where I work, we had less than a dozen hits to twitter.com out of almost 250 million web proxy log lines the last time we looked. Also, our Facebook page gets nearly a hundred thousand hits each month compared to the nearly zero for Twitter. Adults just don't use that garbage, and I don't understand your call for Microsoft to shove that garbage down our throats.

Re:Happy Monday from The Golden Girls!

I just don't get this "Happy Monday from The Golden Girls" thing.

It's just one tool in a Social Media Management (SMM) team's arsenal.

They use it like a placeholder to shift negative discussion about their client further down the page where it's far less likely to be read.

Re: Happy Monday from The Golden Girls!

This may come as a surprise, but some people just like to troll to troll.

Poorly moderated forums ASK for it.

Bandwidth is one cost, Licenses, Administrators...

[cboslin]

Just another victim of the issues around bandwidth and cost to do perform the updates.

With Net Neutrality no longer being upheld, Microsoft's patching and update process is very expensive. Can it even be done with a server onsite getting patched first and updates to the rest of a businesses client machines coming from it? If so, then even that did not help at the multi-national conglomerate I worked at. A huge Java dev cloud user env, the Administrators performing updates to thousands of machines were told to stop some days when the network experienced problems. Though the network was as much to blame as anything else.

Still the company with more than 10,000 clients simply stopped updating Windows machines. Simply stopped.

The personel that were patching were let go or moved to other duties, their positions were never back filled. Cut labor at what cost long term?

I strongly believe MS sees the writing on the wall and just as they cut other costly support services, they cut this patching / update process for the same reasons...not the reasons they tell us. Cut that labor and bandwidth.

Net Neutrality issue here perhaps? After all if MS starts getting charged for the bandwidth required to do the patching and updating by the ISPs wanting to charge more for bandwidth....

And I'm sure...

...that absolutely NO ONE in North Mexico would EVER sue MS for "spam"....