Anti Spam policy


#1

Your anti Spam policy while welcome I am sure seems a little oppressive re mailing lists. With a lot of criteria to meet.

Are these criteria absolutely essential ?

No bouncing addresses…I mean sometimes people do come along and enter silly invalid domains and stuff

Like having to provide a confirmation URL when subscribed:
Isn’t an unsubscribe link enough ?

I ask because on my current host I run a mailing list for my site that has been very successful with php (front end done in Flash) and would be an effort to change this


#2

We don’t say that you can’t have any bouncing addresses. We are just saying that when addresses bounce, you need to remove them from your list.

The “people entering silly invalid domains” bit should be taken care of by the confirmation process (which is required). This is one reason that we require this… for example:

  1. Person tries to subscribe to your list as “somefakeaddress@somefakedomain”.
  2. Confirmation email is sent to “somefakeaddress@somefakedomain”
  3. Message is never received, never confirmed; person is never subscribed to your list

And as someone who has some real domains that might seem fake (I get an awful lot of spam to “spam at spamspamspam dot com” for example), I’d much rather get a single confirmation request than get added to a list because someone doesn’t bother to do confirmation.

[quote]Like having to provide a confirmation URL when subscribed:
Isn’t an unsubscribe link enough ?[/quote]
Not really. At this point, most people are smart enough not to unsubscribe from spam. If you haven’t requested to receive email from someone, it’s logical to consider it spam. So consider this scenario:

  1. Someone accidentally or maliciously subscribes someone else’s address to your mailing list.
  2. You don’t use confirmation
  3. The actual person who that address belongs to starts receiving your messages. Since they didn’t request them, they consider them spam.

Now in this scenario, it makes much more sense for the recipient to report the message to us as spam than for them to unsubscribe from your list (which they didn’t subscribe to).

In a situation where someone forgets they subscribed, having some “proof” that they subscribed also becomes very handy.


#3

Yes, I see the logic, but you could still look at it the other way round: A confirm URL in the email could represent exactly the same trap as an ‘unsubscribe here’. A spammer could send out millions of emails with ‘confirm here’.

Also if the URL is something like mymaillist?action=delete then chances are it is an unsubscribe address. As far as I know I’ve never had anyone complain they were subscribed without their consent but have had people periodically remove themselves from the list if they get bored of it.

I think the policy is a little bit hard because most ISPs and hosts don’t insist on this and it is almost trying to cure a problem that exists with all form based input in webpages and is enough to require a rewrite or new scripts for most people. Although I have read stipulations about securing scripts using sendmail in other hosts terms.

However I could change the script to send a confirmation email first if I sign up with Dreamhost. Although this particular subject is just one of many that I am asking about…

thanks


#4

[quote]Yes, I see the logic, but you could still look at it the other way
round: A confirm URL in the email could represent exactly the
same trap as an ‘unsubscribe here’. A spammer could send out
millions of emails with ‘confirm here’.

[/quote]

This is true, and something that we have considered. However, in our experience this really hasn’t happened much (I can think of only one single confirmed case, actually), and due to the nature of the way the system works it’s much easier to identify what is happening and stop it before it happens.

If it becomes a greater problem, we’ll probably enact even tougher restrictions. Hopefully that won’t be necessary, though.

In any case, it’s not a perfect system. However, it’s far better in preventing abuse than allowing customers to use an “opt-out” based system. The amount of spam sent through our network has decreased, as has the time it takes us to get rid of spammers.

[quote]Also if the URL is something like mymaillist?action=delete then
chances are it is an unsubscribe address. As far as I know I’ve
never had anyone complain they were subscribed without their
consent but have had people periodically remove themselves from > the list if they get bored of it.

[/quote]

We’re not against remove addresses at all - in fact, we require them. However, they solve a completely different problem than opt-in confirmation.

The main problem with ‘remove’ links is that they do absolutely nothing to ensure that the person who was subscribed did so on their own volition. It makes it easy for someone to spam a large number of people and - due to the lack of proof that they did so - it’s hard for us to take action against them unless it’s extremely obvious (ie. forged headers).

In our view, the onus should be on list administrators to prove that someone subscribed, not on the email recipient to prove they didn’t.

Also, there’s the issue of plausible deniability. In the past, we’ve had a lot of trouble with people who were almost certainly spammers, but we couldn’t get rid of because we needed to rack up enough complaints to justify their removal first. Now, there should be no excuse for someone to be unable to account for even a single un-confirmed complaint. That means that it’s much easier for us to tell a legitimate customer from a spammer, and it takes less time for us to get rid of the latter.

Also, we have long recommended to our customers to never click on a remove address unless they are absolutely sure that they subscribed to the list in the first place. The fact is, many spammers use what appear to be remove links to determine that an address has a human on the other end of it. Addresses that confirm may not only not be removed, but actually get more spam because their email address just became worth more on the open market.

The concern is that if we allow people to spam from our servers for too long without doing anything about it, people will use the remove links to get off the list. This is a bad thing, as it reinforces a bad habit that will just result in more spam.

Basically, our goal isn’t just to lessen the number of spam complaints, but to lessen the amount of spam itself.

Finally, we actually did get a fair number complaints from people who almost certainly did subscribe themselves (maybe you’ve been lucky so far - we host a lot of mailing lists, though). Being able to tell them the date, time and IP address of when they signed up has been very helpful.

[quote]I think the policy is a little bit hard because most ISPs and hosts
don’t insist on this and it is almost trying to cure a problem that
exists with all form based input in webpages and is enough to
require a rewrite or new scripts for most people.

[/quote]

Well, most forms don’t require rewrites at all - only those that handle bulk email (which we discourage in general for administrative reasons - they tend to overload mail servers). If it’s just a form-to-email script or something, it’s probably not going to require any changes at all.

Also, we’re well aware that many other hosts don’t require opt-in confirmation, though some are starting to go that route. In fact, even the policy as it appears on our site didn’t become active until late last year. In hindsight, we probably should have enacted it in 2002.

In our view, spam is becoming an increasingly common form of Internet abuse. A rather large percentage of Internet/email traffic is spam, and the trend doesn’t appear to be reversing any time soon. As the enacted legislation (ie. CAN-SPAM) is rather toothless against the problem, we feel it is our responsibility as good net “citizens” to minimize the amount of spam that originates from our network through technical and procedural means.

  • Jeff @ DreamHost
  • DH Discussion Forum Admin