How not to be a spammer?

Hi everyone,

I recently switched my domain/site to DreamHost. I have a monthly newsletter that I send out (as individual emails to each of about 300 subscribers) from a web-based form using a cgi I wrote myself several years ago.

This evening was the first time I tried to send out a newsletter since joining DreamHost. Everything seemed to be going fine, and I got a few of the usual bounces and out-of-office auto replies and such. Then I got a flurry of bounces that seem to be coming from inside DreamHost, which basically said my email was being returned because my IP address was associated with spam.

I’ve never had this kind of problem before at my previous host (though I had every other kind of problem, which is why I left).

Any thoughts or advice?

You might be in a rough spot, as Dreamhost is not only “death” on spammers (which I completely agree with and support!), but pretty challenging to work with for anyone doing what you are doing ( which I just as strongly believe you should be able to do without anyone, or the system, yelling, “Kill the Spammer!”), given the hourly email quota, and the relatively “inflexible” and extremely strident Spam Policy.

I say “inflexible”, in that it seems to imply there is *only one acceptable method" for “opting-in” that is considered legitimate, and makes it very hard to use any kind of a list you may have brought from another site, purchased from a trade association, or compliled in any other manner that most people would find to be legitimate (such as “general membership mailings” where “applications forms” authorize the email, or even letters that ask, “Please send me your email newsletter”). The way I read DreamHost’s policy, if the member did not “opt-in” electronically, with a confirming “subscribe” that you can track by date, time, and IP address, it is not acceptable to send them “mass mail”. I, for one, don’t know how to record the IP address associated with a mailed application or request letter, but I think, depending upon the wording of the application or letter, it is a reasonable “opt-in”. :wink: I suppose someone could “forge” such a document , and mail it to a club, association, or site owner, to “sign someone up” and therefore cause them to receive unwanted email; I just don’t see that as much of a likely scenario.

The difficulty these issues presesnt is a real problem for several of my clients (who do not spam, but want to provide email interactivity to their users via cgi’s on their sites for e-commerce and informational purposes). There has been considerable discussion of these things on this forum (searching will lead you to interesting historical threads, and a response or two from DreamHost staff). As for me, this may well turn out to be a deal breaker for one client in particular, who is a successful gourmet food product retailer whose ecommerce site is just starting to generate significant revenue.

It might help us to figure out more precisely what is going on in your case if you would post “full headers” to one of the “flurry of bounces” that you think might be generated by the system, so we could look at it and better tell what has actually occurred.

Alternately, if you broke the “200 emails per hour” rule, you may find out sooner rather than latter, as DH may well “block your user from sending email” as a first step to getting it sorted. If this happens, you need to get on top of it quickly with Support, as all kinds of bad side-effects will start happening for your visitors as the .cgi’s break, they can’t activate registrations, receive news, order confirmations, etc.


Wouldn’t a particularly vibrant forum with an ‘Email all replies to my real email address’ option possibly violate this policy?

Absolutely. I don’t even think it would have to be “particularly vibrant”. If my old mind can handle the arithmetic:

100 members, 25% of which want to be notified of replies.
9 threads generate a single reply in an hour, and all 25 users get notified “automagically” via email, as they requested, = the “user” the CGI is running as has sent 225 emails in that hour. Limit exceeded.

There are all kinds of combinations of legitimate interactivity that you could come up that would exceed this lilmit on even a slightly active site.

What about the photo galleries that send “ecards” (I hate those suckers, but some love them, and they are an attractive feature on some sites)? Even a moderately popular blog could easily exceed this limit if it is using email to notify any significant number of “regulars” of new posts. Luckily, there is RSS to the rescue here, but some users prefer the email method (in fact, I often do, depending on the subject matter).

And I think we are a ways away from having most forums and their users track the activity via RSS.

Here’s another one:

I can even see a “brochureware” static site that is “unfortunate” enough to have a really “hot” product mentioned on slashdot or digg (or Oprah!) having its contact form break 200 an hour emaililng “requests for information” to the site owner. 4 requests per minute would send 240 emails while the server hardly breaks a sweat serving the pages and the CPU isn’t significantly bothered processing the form

I think it is a real “gotcha” that many users don’t think about in that, while you have the bandwidth to have your site be interactive many ways, you will run into this problem long before you would begin to approach a significant portion of your available bandwidth, stress the CPU, or in any other way negatively impact other users on the server. I know that the truth of that statement is dependant on how heavily the shared servers are populated. Of course. the bandwidth is still of value, but primarily for “static” sites without any strong email fucntionality, as it is great for serving up linked docs, images, etc.

This is a relatively new Dreamhost restriction, brought about primarily by problems with other networks blocking dreamhost email servers based on volume and Dreamhost’s attempt to mitigate that problem. To me, it really doesn’t do any more to curtail “spammers” than taking away your fingernail clippers at the airport curtails hijackers.

The principal real value I see it bringing to the table is that it makes it easier for Dreamhost to convince others that the “volume” of mail, which DH believes to be legitimate email as opposed to spam (and takes considerable pains to ensure)t, coming from it’s servers, is not sufficiently large for others to assume it is spam, but rather a result of the fact that 300,000 domains are processing mail from a lot of users on shared hosts and using shared email servers…and, “Oh yeah, by the way, no one can really spam from Dreamhost anyway, cause we won’t let a user send out more than 200 mails an hour before we shut them down”.

I think it also might be a “necessary evil” kinda thing to catch and curtail the proliferation of exploitable/exploited scripts installed on the shared servers by the huge influx of “lower tier” users attracted by the extremely aggressive pricing and packages offerred of late. Kinda like the way the influx of “aol” users impacted usenet years ago. I get the feeling sometimes that Dreamhost might be in danger of degrading into the same type of undisciplined and uneducated environment, though I hope that trend is just a “blip” on the radar, and that it will not actually become the “norm” at Dreamhost.


Thanks for the info, everyone. I’m not sure what to do next, but I will contact support and see what’s up.


… purchased from a trade association

Most people would consider this spamming, or a grey area at best. Individuals listed on a purchased list did not opt-in to your (in the general sense) mailing, and there’s no way to effectively opt-out of all mailings if a list has been sold. Spammers also sell address lists, often misrepresenting them as legitimate, and buyers generally have no way of verifying the opt-in status of these addresses.

When I was working in network abuse, we considered the purchasing of a list to be equivalent to any other sort of non-confirmed list building, be it web scraping or misappropriating other address lists.

If you want useful replies, ask smart questions.

. purchased from a trade association

Most people would consider this spamming, or a grey area at best. Individuals listed on a purchased list did not opt-in to your (in the general sense) mailing, and there’s no way to effectively opt-out of all mailings if a list has been sold.[/quote]
I understand that reasoning completely, and I think in many cases that is probably true. As a rule of thumb, I consider what you describe above as “spam”

The actual circusmstance with my client are, I think, significantly different than what you describe, and I would very much appreciate your “take” on their situation:

  1. Client is a memeber of a trade association

  2. That trade association requires all members join via a “hard-copy” paper application which, though it can be downloaded from their website as a .pdf, must by physically signed and mailed to the association with membership fees and dues.

  3. Trade association membership application describes as a principal purpose of the association as being to facilitate communication between members.

  4. Trade association application has two checkboxes immediately below the signature line. One reads, “Check here if you do not wish to receive FAX and email communications from other (assoc. name) Members and (assoc. name) Business Partners.” and the other reads, " Check here if you do not wish to receive FAXes and emails from (assoc. name)."

  5. Trade association maintains paper applications in their office, and will make them available in support of members facing “spam” claims.

  6. Trade association only sells lists to association members, and lists contain no email addresses or fax numbers in the records for members checking the first box decribed above.

7.) Members may change their “communications” elections at any time via the association website, a telephone call to the association, or mail.

While on the one hand, it seems that this might be more of an “opt-out”, that perception appears to ignore the affirmative actions the member took by joining the association in the first place, completing and forwarding the paper application, and paying the fees/dues, obstensibly to participate in the stated “communications between members”.

It seems to me that it ought to be reasonable for my client to mail an initial mailing to these types of list participants without fear of being tagged a spammer, provided, of course that all the other mailing requirements (opt out link in the mail, full and accurate disclosure, etc. - all the other requirements stated in the Dreamhost Spam Policy.) are complied with.

To my thinking, this is much the same as my client, who is an e-tailer of gourmet food products, maililng to customers who provide thier email address with an order and did not “opt in” from their shopping cart, as opposed to a seperate “subscription” model, the significant difference being the “cart opt-in” does leave an electronic audit trail with an IP address, where the paper application, or letter, would not.

I really appreciate your taking the time to review my thoughts on this, and knowing and understanding that you are “not speaking for Dreamhost” in any way, I would very much appreciate knowing how, as an “abuse desk pro”, you would perceive this situation. Believe me, I would rather not deal with it at all, but is is very important to my client whose site is starting to generate significant revenue, and wants to encourage its continued success by offering “specials” and"news items" via a monthly newsletter.


I am certinly no expert or anything of the sort, however I’m going to give you my opinion all the same :wink: .

Why not transform your process into a double opt in system. Your client buys this list, and sends out the ‘opt-in’ E-mail. This E-mail can serve two purposes though, it can send out your advertizing or whatever and then say ‘if you want to get future mailings from us, just click this link!’.

Perhaps it’s not great from a marketing point of view, but it certnly could work as a comprimise. You get to send out the first E-mail with out any questions, but they have to opt into your list for anything else.

Someone on this fourm mentioned getting their account frozen becuase of a church mailing list where members had physically signed up in church, and as I understand things using a double opt-in would have negated that. This is also the way DH’s own announcement list works, you can add your E-mail addresses, send out a fully customizable E-mail and all the reciever has to do is click a link and they’re on your list for good (enless they opt-out).

–Matttail - personal website

Except for the opt-out checkboxes in step 4 (these should be opt-in), you were doing pretty well until step 6, where the list is purchased. Now because I don’t know anything about this trade association or what expectations members may have, I’m only generalizing when I say that this puts you on pretty shaky ground. If by joining this association, people are clearly stating that they’re ok with and expect this sort of thing, then this may not apply.

See, the problem isn’t the initial opt-in. This part sounds more or less fine. You run into problems when people opt-out and find that their address has been sold to an unknown number of third parties. People can opt-in to this association’s mailings, but they can’t give informed consent to everyone the list may be sold to, including your client. More importantly, if they opt-out from the association’s mailings, they then need to opt out of the mailings of every company that purchased this list. This places a huge burden on the recipient, especially when they have no way of knowing how many times the list was sold, or to whom. For this reason, buying a list people have opted-into doesn’t mean you now have an opt-in list. Opt-in status isn’t transferable that way unless the initial opt-in also made it clear that the list would be sold. Now this may actually be the case here, but I suspect your client would have a hard time proving it if Dreamhost started getting abuse complaints.

As I think you know, the best approach to take would be for your client to have a subscription form on their web site, and offer an opt-in checkbox to people buying online. Yes, it takes a while to build a subscriber list this way but, using a confirmed opt-in exchange, they can be 100% certain that they won’t get in trouble with DH and, equally importantly, they won’t be annoying their customers. While this trade association list may be completely legitimate, there are still potential problems in a situation like this.

e-tailer of gourmet food products

Excellent. Let them know my consulting services can be bartered for :slight_smile:

If you want useful replies, ask smart questions.

The preferred term is “confirmed opt-in”. The term “double opt-in” is one used by spammers to give the impression that an undue burden is being placed on list subscribers. While they mean the same thing in practice, using the former allows spammers to frame the debate in terms more favorable to them (see also: “pro-choice” vs. “pro-life”).

If you want useful replies, ask smart questions.


Thanks for taking the time to read and respond to me on this thread, and I believe youknow your opinion is always valuable to me; I believeyou are an expert on many things. :slight_smile:

[quote]Your client buys this list, and sends out the ‘opt-in’ E-mail. …‘if you want to get future mailings from us, just click this link!’…You get to send out the first E-mail with out any questions, but they have to opt into your list for anything else.*

  • Above quote edited for brevity - omission indicated by “…”[/quote]

Man, that would be completely acceptable to me and, given the circumstances I described, ought to be acceptable to my client. I’d go so far as to say that if I couldn’t get him to go for that kind of an arrangement, maybe he has some *latent spammerish tendancies" and I really ought to just part ways with him now.

My problem with taking that approach is that I don’t read the Dreamhost Spam Policy to allow even that “first” mailing. Granted, the construction of the policy leaves it a llittle unclear, but my take on it is that while paragraph ! under “subscriptions” seems to allow what you suggest:


  1. Mailing list subscribers must specifically opt-into the list they are subscribed to. This applies to both new subscriptions and the bulk addition of addresses already subscribed via other means. Confirmation is handled using a single confirmation message sent to the subscriber’s email address. This mailing must contain a URL to the site’s privacy policy, a brief description of the mailing list, and a URL that the user must follow to confirm the subscription.

-empasis is mine [/quote]
it seems to proceed to contradict that in Paragraphs 2 and paragraph 4, subparagraph E:

The “sign-up”, as it was done on paper, has no IP address or “time” associated with it, but does have a “date” and a “real signature” associated with it. I really think that the IP Address and the time would only show that “somebody” signed-up (easily enough spoofed for the “sign-up” component) while the paper form’s signature ( which , given the context of the form - joining a trade association and spending significant money) would seem to me to be a much more reliable indicator of the person’s identity.

Either way, the “first” email sent containg a confirming link should, when clicked by the user, should be sufficient to verify that the remaining list members are truly “opt-in”.

So client sends that first email, possibly stating that the list was obtained from " (association name) who’s records indicated you did not wish to be excluded from such mailings. This is the only such mail you will receive unless you specifically “opt-in” to receive future mailings from us by ‘clicking here’<link to “opt-in.cgi”" Recipient cllcks link, the cgi collects the required data and tucks it away for safe keeping until such time user forgets he signed up and beefs client for spamming him) or user does not click the link, and email address is removed from list before any subsequent mailings.

Is this is pretty much what you are describing? I’d love to able to know that this scenario would leave us “good to go”, as we have made significant, and IMO, sufficient effort to make a clean list, and I think we behaved responsibly in every way.

What I worry about is that, if beefed on the initial mailing (all the above notwithstanding, it could happen!), we have no IP address, date, time info available (since the form was not electronic) DH might just say, “Account terminated for violation of Dreamhost Spam Policy Paragraph 4, sub-paragraph D”. End of story, begin major grief.

I suppose I could start a prolonged dialogue with Support over this, and I may, in fact, have to, as I am not about to risk my long association with Dreamhost over a misinterpretaion of a policy I, and my clients, have followed faithfully since joining in 1998.

Sorry for the “longish” response…I’m just worried. Thanks, Matt, for the suggestion and I would greatly appreciate reading any other comments on the above as I try to decide what to do. I don’t really want to drop this on the tech-support desk given the current circumstances and all, but my client is becoming more and more demanding, and I can’t play him off indefinately - something’s gotta give.


Thanks, kchrist for your excellent and useful response; I very much appreciate you taking the time to read, and respond to this thread!

I agrree with you completely on that. It is unfortunate that I can’t control it, though I have made the suggestion :wink:

To me, the rest of your response is “pure gold”, in that it nicely sums up the very issues I have been trying to get my client to recognize as significant.

In this case, my client and I have had repeated conversations with the trade association aout this process. They are convinced, and have been assurred by their lawy*rs, that they and their members are handling this in an acceptable manner. They also represent that this is routine for them and that several of the other members have used these “sanitized” lists repeatedly without issue; those assurrance do not mean a lot to me.

I agree that building a list slowly from our own site(s) is the best way to go, but I’m not likely to convince my client of that. He is very active and well-known in the association, and does not seem to be the least bit concerned that another association member, who (as are most of the members) is a competing retailer, could screw him to the wall with spam complaints if he does this.

Your description of the overall problems with using lists that have been sold is great! I’m hoping to make good use of that in my next discussion of the issue with my client. I’m not that hopeful he will “get it”, but you have given me better tools and I am grateful.

I see you have read mattail’s latest response, and am wondering if my reaction is being overly paranoid? I understand that, to a significant degree, your response makes a good deal of that idea moot, but I am intrigued that his suggestion might be a way to build a confirmed opt-in list using the trade association list as a basis?

You have spent a lot of time reading my posts and responding. I want you to know that I am only refraining from naming the trade association here in the forum out of respect for my client, as opposed to trying to mask anything nefarious about their nature or purpose.

Please forgive my PM soom to be arriving, in which I will provide you with those details and initiate a discussion regarding compensating you for you consulting services. :slight_smile: