Friday, August 22, 2008

Do you want to win the Website war?

1. Buy an e-mail list from any random provider.
Marketers (and content-generators such as CIO.com! Did I mention we have some great newsletters of our own?) understandably want to disseminate the company's information to as wide an audience as possible, as quickly as possible. One common way to extend a company's reach (a leftover of the print catalog era, but less effective online) is to buy a mailing list of qualified buyers or people who have expressed interest in similar services.

E-mail is expected to be opt-in; that is, someone must explicitly give permission to receive unsolicited commercial mail from a particular sender. Almost by definition, anyone who sells a list of e-mail addresses is distributing those identities without the users' consent. Permission can't be bought, sold, bartered or assumed. It must be acquired directly from the only person who can give it: the owner of an e-mail address. Savvy spam fighters intentionally sign up for some lists with "spam-trap" IDs just to see if the e-mail ID will be abused.

If you're thinking of buying a list, you'd better be sure that the IDs were acquired properly -- which is rare. The Spamhaus Web site tells people never to buy a list of e-mail addresses for bulk distribution. Otherwise, Bam! Straight shot to a blacklist.

2. Don't follow industry best practices for mailing lists.
Any newsletter you send should use confirmed opt-in (sometimes called closed-loop opt-in) to ensure that the person who signed up is the person to whom the e-mail will be sent. This is a biggie. If your newsletter doesn't follow this rule and you get onto a blacklist for any reason, you won't be removed from the list until the confirmed opt-in issue is addressed.

Make it easy to unsubscribe from a mailing list. Even when you do make it a one-click action, entirely too many people fail to unsubscribe and instead stab angrily at the "This is spam" button in their e-mail client. Big e-mail service providers such as Yahoo Mail won't block your newsletter for a single spam report, nor will they list you in an RBL because of one lazy newsletter recipient, but you don't want to get anywhere close to the line.

Related Story8 ways to fight spam-filter frustration
False positives are the scourge of spam filters. Whether you're sending or receiving, here are some steps you can take to keep good e-mail out of the slush pile.
Another express ticket to the blacklists is to repurpose addresses. "Don't store a user's e-mail address for one reason and then send them bulk e-mail for a completely different reason," explains Richi Jennings, lead analyst for the e-mail security practice at Ferris Research.

For example, a hosted antispam service allegedly mailed its customers' technical contacts a marketing message. When customers signed up for the service, they provided a technical contact for messages about service outages, trouble-ticket updates, etc. "The technical contact has a clear expectation of the types of messages they'll receive, and that doesn't include marketing," says Jennings.

3. Let anyone use content-sharing features, willy-nilly.
Many sites (yes, including CIO.com) encourage readers to participate in some way. You might comment on an article (we writers do appreciate it, not that I'm hinting or anything), e-mail the article link to a friend or, with modern social networking tools, create your own page.

Those are great. But blog comments can generate comment spam, which points right back at your domain. Many sites' "e-mail this article" feature is malformed -- for example, spoofing the "from" address -- leading to bounce messages if not the land of blacklists. And so on.

Catherine Hampton Jefferson at SpamBouncer explains: "If you're a news site, for example, and want to let people forward a news story to someone, you should restrict them to sending it to a small number of e-mail addresses. I'd also check the IP they're connecting from against the CBL and perhaps other carefully selected block lists."

4. Use a dubious service provider.
It's astonishing how often companies choose an Internet service provider or Web hosting service without doing due diligence. Before you sign up, find out how often the company was blacklisted in the past year. Discover if they're known to route hijacked network space or if they have a history of spam abuse. One recommended resource for this is SenderScore.org.

This is especially important when companies use a shared mail server or host a Web site on shared hosting, adds Jefferson. "If you are [doing so], and one of your 'neighbors' spams, you can end up listed," she points out. "It stinks, but if you share the same IP with a spammer, IP-based block lists have the unpalatable choice of listing the IP and thereby blocking innocent bystanders as well as the spammer(s), or not listing the IP and letting the spammer spam away."

5. Tick off your technically knowledgeable staff.
If someone is on the inside, and they have been nodding along at each of the points I've already made, it's not all that difficult for them to get a company blacklisted. (I'll avoid examples here, because I don't want to make the job too easy for any disgruntled employees who might be reading this article.)

I'm sure that you treat all your employees well, that they are qualified for their jobs and that you have trained them on acceptable-use policies for e-mail (you do have them, don't you? Please tell me you do). Yes, sure you treat every employee with unrelenting positive regard and gobs of respect -- and I am the Queen of the May.

Someone, somewhere in your organization will eventually decide that he is being pushed to the limit -- and then you'll end up in a situation like the city of San Francisco's rogue network administrator. What technology do you have to make it difficult (it'll never be impossible) for an upset insider to give his manager a Very Bad Day?

6. Run a sloppy mail server.
Mail servers that don't follow the rules have a myriad of ways to get their feet caught in a spam trap, some of which were enumerated in other CIO.com articles. Some of them are technical and under the purview of your e-mail admin, such as "The HELO/EHLO string should ideally match the full domain name."

Bottom line, here: Follow the standards.

7. Ignore the security on devices that may be compromised by spambots.
Your e-mail server may be pristine in its behavior, but if one of your end user's computers has been taken over by a virus that is sending spam, your domain is still responsible for polluting the Internet. Pay attention to software installed on your desktops and servers, either by staffers (using social engineering or deliberate malfeasance) or when users visit compromised Web sites.

Don't cast your hairy eyeball only at stand-alone PCs. One e-mail admin told me he once flagged an open relay that turned out to be an electron microscope at a Belgian university. Hewlett-Packard printers have been used as zero-day warez (pirated software) FTP servers. The more gizmos that are connected to the Internet, the greater the possible venues for spam and viruses. (Doesn't that thought just brighten your day?)

8. If you do land on a blacklist, threaten to sue and make angry demands.
It is possible to find your site on a blacklist because of an innocent mistake. But when you go to resolve the situation, assume that it was your error or ignorance that caused the problem, not someone else's fault. Do not threaten.

Otherwise, you might find yourself on the "permanent block list" with no chance to be removed. One e-mail admin says he blacklists for life anyone who tries to sue, including legal firms handling the cases. "Since they support Internet abuse, they really don't need to have the privilege of using it," he adds.

Matthias Leisi, project leader at dnswl.org, a "whitelist" of known legitimate e-mail servers, says, "We once had a guy threatening to sue us at dnswl.org if we would not immediately list all his IP addresses with highest trust score. When we told him that this is not the way we operate, he went into ALL CAPS MODE, telling us what a bunch of incompetent losers we are, and that he still insists to be listed, 'or else.'"

In point of fact, there is no "or else." Like a baseball player who disagrees with an umpire, the umpire may be wrong, but his decision is final. If you argue, you'll just be thrown out of the game.

No comments: