AT&T sends more SMS Spam, locusts infest exec underwear

The phone chirped notice of an incoming text message. We don't have an SMS plan, so that's unusual. Was it an urgent message from my wife?

I struggled to pull the phone from my pocket. Oops, drifting in my lane a bit. A sharp correction ... too sharp on black ice. The van spins into the path of the oncoming oil tanker.

It's all so fast. The crunch and shattering glass, the crushing pain, then the searing fireball. The last thing I see is the message ...

"AT&T FREE MSG: Share your love ... Add a Line for your Valentine! Visit an AT&T Store .."

Lungs searing, I gasp out my Death Wish.

A plague of locusts infests the underwear of the AT&T executive team -- and that's just the beginning ...

Apparently, AT&T was not discouraged by the reaction to their American Idol spam ...

Gordon's Notes: Annals of idiocy - AT&T spams customers about a TV show

... lunacy like AT&T's recent bonehead move deserves at least a whimper or two (emphases mine) ...

AT and T Sends Customers ‘Idol’ Ads - NYTimes.com

Some AT&T Wireless customers have voted an emphatic no on a promotion for “American Idol” that popped up on their phones this week.

AT&T, a sponsor of the show, said it sent text messages to a “significant number” of its 75 million customers, urging them to tune in to the season premiere on Tuesday night...

... Mark Siegel, a spokesman for AT&T Wireless, said the message was meant as a friendly reminder. “We want people to watch the show and participate,” Mr. Siegel said. He added, “It makes perfect sense to use texting to tell people about a show built on texting.”

... Mr. Siegel said the message went to subscribers who had voted for “Idol” singers in the past, and other “heavy texters.” He said the message could not be classified as spam because it was free and because it allowed people to decline future missives...

... Richard Cox, the chief information officer for Spamhaus, a nonprofit antispam organization based in Britain, countered: “It’s absolutely spam. It’s an unsolicited text message. People who received it didn’t ask for it. That’s the universal definition of spam.”..

So now they're back, advertising AT&T services.

I replied "STOP" to the message. I suspect I'll be dinged 20 cents for that one. There will be more.

I wonder how they know not to send these things to, say US Senators? They must have some way to avoid infuriating people who might hurt them with something more material than imaginary locusts.

Maybe AT&T has forgotten that it's not the Bush era any more. Betty McCollum is our US Senator, and soon, if we're lucky, Al Franken will join her. He's not there yet, so let's see if Betty is interested in sending AT&T some Minnesota love ...

See also: AT&T's rebate scam. I wonder if they've had any serious accounting audits lately; corporations who play these sorts of games tend to play other games too ...

Buy.com: Queen of the named spammers

The Buy.com spam has been flowing in lately.  Amazing variety, amazing volumes. I'd blacklisted them a year ago, so I was a bit surprised. (See my personal blacklist of named spammers).

Turns out they'd gotten another email address of mine, probably scraped from the net, and their spam was flowing in from a new hole. I decided to submit a 'remove request' and see if they were any better behaved these days, but that just doubled the sewage.

So I've closed the new opening. Of course I'll never purchase anything through Buy.com. I'm disappointed that Google Checkout hasn't dropped them.

Conde Nast is the king of the named (public) spammers, but  Buy.com is a close second!

I hope they're not long from this world. Please avoid them.

Annals of idiocy - AT&T spams customers about a TV show

We live in numbing times. There's not much outrage left, we have to marshall what we have to deal with the Cheney/Bush torture program.

Still, lunacy like AT&T's recent bonehead move deserves at least a whimper or two (emphases mine) ...

AT and T Sends Customers ‘Idol’ Ads - NYTimes.com

Some AT&T Wireless customers have voted an emphatic no on a promotion for “American Idol” that popped up on their phones this week.

AT&T, a sponsor of the show, said it sent text messages to a “significant number” of its 75 million customers, urging them to tune in to the season premiere on Tuesday night...

... Mark Siegel, a spokesman for AT&T Wireless, said the message was meant as a friendly reminder. “We want people to watch the show and participate,” Mr. Siegel said. He added, “It makes perfect sense to use texting to tell people about a show built on texting.”

... Mr. Siegel said the message went to subscribers who had voted for “Idol” singers in the past, and other “heavy texters.” He said the message could not be classified as spam because it was free and because it allowed people to decline future missives.

“It’s clearly marked in the message what you need to do if you don’t want to participate,” he said. “It couldn’t be more open and transparent.”

Richard Cox, the chief information officer for Spamhaus, a nonprofit antispam organization based in Britain, countered: “It’s absolutely spam. It’s an unsolicited text message. People who received it didn’t ask for it. That’s the universal definition of spam.”..

...Mr. Siegel of AT&T defended the use of the medium given that voting by text message had played a big role in “American Idol.”

“Text messaging is the perfect way for us to tell people about this wildly successful show and to watch it,” he said...

Mr. Siegel's soul has had a rather bad day. I hope he sends it out for some rehab. Being a spokesbot for AT&T can't be pleasant.

AT&T's cell phone spam attack is not as bad as SONY injecting malware into their customer's computers, but it still deserves a spark of outrage.

Ok, a feeble squib of outrage.

Still. Something.

Update 2/7/09: Gizmodo's comments.

Phishing traps via blog post comments - a newer variant

The other day I allowed a comment a bit like this one to be added to one of my blogs:

Hello. This post is likeable, and your blog is very interesting, congratulations :-). I will add in my blogroll =). If possible gives a last there on my blog, it is about the Smartphone, I hope you enjoy. The address is http://_____.blogspot.com.

The spelling and grammar was a bit better, but the form was similar (I removed part of the URL). I checked the site prior to approving the post and it seemed superficially legitimate.

Today I received two more pending comments, each with slightly different wording and different web topics.

Clearly, I got fooled. I shouldn't have allowed the first comment of this class. I'll have to hunt it down and delete it.

My guess is all the sites referenced in these comments are either compromised legitimate sites or they are trap sites. Maybe all they need is for someone reviewing the posts, like me, to check if the site is legitimate. The recent "breaking" of Google's CAPTCHA technology may be a part of the operation.

I just hope I used a Mac for my original site check, and not my XP machine! XP boxes are so vulnerable they really shouldn't be allowed on the web.

I'll be extra careful going forward.

Update 3/11/2010: I loved this comment I received today ...

So, you aproved one of the comments and received a few similar ones? What's bad about that? You don't have to approve the other ones if you don't want to. I don't see any trap here.

The author's name was linked. It didn't resolve to a person, it resolved to a spam blog (splog) article. It wasn't a direct phishing attack comment, but it was of the same genre of comment spam. In this case the desire is to increase pointers to a fraudulent web site, to do "search engine optimization".

Why do I love this example of comment spam? Because it's a fraudulent comment complaining that I'm dissing fraudulent comments. That's kind of funny.

Is Google winning the spam wars?

I've posted on Gmail and spam fairly often. A year ago things looked pretty bad, but then I realized that my email redirection was poisoning the domain reputation algorithms Gmail used back then.

From Sept 1996 through July 2007 Gmail's spam filtering was doing pretty well, but in July they had a serious screwup. Mercifully by August it was under control and the results have been great for three months.

It seems Google's Gmail team has also noticed things are going well, today they declared light at the end of the tunnel. Google OS followed up with a bit more detail:

... Many Google teams provide pieces of the spam-protection puzzle, from distributed computing to language detection. For example, we use optical character recognition (OCR) developed by the Google Book Search team to protect Gmail users from image spam. And machine-learning algorithms developed to merge and rank large sets of Google search results allow us to combine hundreds of factors to classify spam," explains Google. "Gmail supports multiple authentication systems, including SPF (Sender Policy Framework), DomainKeys, and DKIM (DomainKeys Identified Mail), so we can be more certain that your mail is from who it says it's from. Also, unlike many other providers that automatically let through all mail from certain senders, making it possible for their messages to bypass spam filters, Gmail puts all senders through the same rigorous checks...

For years I've written that the way to defeat spam was through differential filtering based on the managed reputation of the authenticated sending service. This little blurb is consistent with Google implementing that approach.

Today about 70% of Google's incoming mail is spam -- but that's an improvement! It used to be closer to 80%. Excluding a weird 2004 bump this is the most prolonged drop in three years.

My inbox is looking pretty good, and I hardly ever find anything in the spambox now (though I only scan about 20% of what I delete, I get a huge amount of spam).

Gee. I have something nice to say about Google!

Captcha death: My DeLong comment fails

I was trying to submit a comment to Brad DeLong's typepad based blog:

Grasping Reality with Both Hands: Brad DeLong's Semi-Daily Journal - typepad comments

Verify your comment
As a final step before posting your comment, enter the letters and numbers you see in the image below. This test is used to prevent automated robots from posting comments.

I authenticated using my TypePad ID, but I was still asked to pass the captcha test. I tried four times, but the captcha kept getting more and more cryptic. I had to give up.

I swear I have a high res 21" LCD and I can still read. True, I am a bit demented, but so is everyone over 25.

I assume that captcha difficulty is being driven by the spam wars. I think we've now hit the wall. The spam technology and/or techniques have defeated the captcha.

It's time for phase II - the end of anonymous comments and robust identity management.

Why would computerworld send me spam?

I know Conde Nast has a spam addiction, but why is Computerworld sending me marketing emails? It's a bit weird. My guess is that they use a very old fashioned email address for opt-in email, and that spam using one of my email addresses hit their opt-in list.

The reason I suspect this is that their opt-out process requires an email address to be submitted, which is also archaic.

I'm filtering all their email to the trash now, so if they want to send me a note they'll have to use the comments to this post. If they'd had a one-click embedded link opt-out I'd have given them another chance, but if they're not guilty of spam they're certainly guilty of technical incompetence. Firing offense either way.

Condé Nast and Spam: what's the deal here?

Condé Nast Publications publishes "Gourmet" magazine. Judging by the ads the readership is classically bourgeois. So why do they generate so much spam? It's amazing -- every email address I've ever had gets spam from Conde Nast, usually about "Gourmet". Unsubscribe attempts always fail.

It's easy to eliminate -- I just block "condenastpubs.com". Still, it's weird. I suspect a good portion of the middle class doesn't mind getting spam from Gourmet ...

Update 10/14/07: Judging from a helpful comment, this appears to be a business decision by Conde Nast, not a technical error or a fluke. I think there's a strong case to be made for blacklisting the condenast.com domain.

Incidentally, as of today a Google search on "conde nast spam" has this blog post as the top hit. I suspect someone from Conde Nast is going to read this. They can add their comments below, i promise I'll publish them. They can't email me, since I've blacklisted their domain.

Update 1/18/07: I got another Gourmet magazine spam -- but the domain was erol.com. Turns out this is not a Gourmet spam after all; it's a phishing email. I suspect even Conde Nast hasn't fallen that far. It's a measure of how low they have fallen, however, that phishers are now riding their spammy coattails.

Boingo Wireless adds another iPhone requirement

Boingo Wireless is responsible for another entry to my iPhone Mandatory Demand List. I've elevated "bridge PC to WLAN" from "desirable" to "essential" -- because Boingo has taken over the airport HotSpot business.

I very much dislike Boingo. I want to be able to use my iPhone to bridge a laptop to the Net so I never have to deal with Boingo again. Why do I detest Boingo? I'll list 4 quickies:

1. This morning my registration failed -- until I checked the "spam me" box that Boingo had originally checked and I'd unchecked. A convenient bug, no doubt.
   
2. Boingo insists on installing their software on my machine. I'm reasonably confident it's ugly stuff, but even if it were the purest product I don't want Boingo forcing it on me. In fact their connectivity service works fine if you donwload the file but skip the installation step.
   
3. You can't simply enter your billing information and start using Boingo, you have to "register". I'm running out of pseudonyms and fake email addresses.
   
4. Did I mention they've eliminated all the other airport HotSpot vendors?
   

Problems in Google-land: Gmail, Blogger and do you really trust Web 2.0?

Last week a bad update broke Google's BlogThis! tool. It took them a week to fix it, and there was never any official notification of the problem, though Google's support people did post in response to numerous help group complaints.

This week Gmail's spam filter is malfunctioning. The "whitelist" functionality is broken and it's miscategorizing email. I tried to post about this on the Gmail Group but the "problem" group is down (really, I'm not joking, they're out of order). Users who get large volumes of spam will inevitably lose email in the mess.

Google has not provided any notification on any blog, or on their help page, of the Gmail malfunction. (They did provide notification us that the Gmail Help Group is down, but that's rather obvious.)

It's the failure to notify, more than the bugs, that really concerns me. Google is not treating their customers respectfully.

The foundation of "Web 2.0" apps (what we once called "application service provider") is trust in the service provider. The "web 2.0" model doesn't need to be perfect -- all software has bugs and local hard drives fail, so traditional "owned" software models have their own problems. The "web 2.0" model does, however, require trust, and trust requires respect.

If Google can't respect their customers, who can? What does this say about all the other web 2.0 services that we increasingly rely upon?

Yahoo! filters gmail invites as spam

Old news, I'm sure, but given the slow and awful implosion of Yahoo! it's worth a smile.

If you send a gmail invite to Yahoo!, Yahoo!'s usually excellent spam filters mistakenly mark it as spam.

Gee, isn't that funny.

Yahoo! is dead.

Boingo - how to run a business - into the ground

Boingo teaches us that great wealth brings great ... stupidity?

Our local airport has outsourced their wireless services to Boingo. Fair enough, I thought, I'll just get an $8 day pass. I've done that with T-mobile and they have a reasonable approach. Enter a credit card number, get access.

So, I click and wait, and wait, finally the service responds. It tries twice to sign me up for a 3 month pass, but I'm trying to keep this simple. I don't want a relationship with Boingo, I want net access.

Ok, I finally get to the day pass. Now sign up requires an email address (so they can send me spam) and an username and password. I guess they really do want a relationship.

I give 'em my spam address (only spam goes there, occasionally I retrieve product trial keys from it) and my usual username. It's in use. I probably signed up once before. Ok, I'll try another. It's in use too. This is getting annoying. I start using scatological usernames, like "idiots" and "stupidboingo" and, finally, fckboingo. In use. All of them. Including the last.

Boingo clearly has a less than delighted customer base.

I give up. Is Boingo some sort of evil psychology experiment? A Scientologist [1] plot to activate deeply buried engrams? More proof that there's no sense to where money flows? Or all of the above ...

[1] Boingo's CEO, Sky Dayton, is a prominent Scientologist.

Botnets, ovarian cancer, MySpace "offenders" and Bayes

What do botnets, "symptom" definition for ovarian cancer, MySpace "sex offenders", homeland security passenger screening have in common?

They all teach us that we need to start teaching Bayesian analysis in 7th grade.

Consider the FBI's guideline for knowing your home PC is a zombie bot:

BBC NEWS | Technology | FBI tries to fight zombie hordes

...The organisation said it was difficult for people to know if their machine was part of a botnet.

However it said telltale signs could be if the machine ran slowly, had an e-mail outbox full of mail a user did not send or they get e-mail saying they are sending spam.

Of these only the last is a useful clue, and it's a stupid bot that leaves such obvious traces. Does any Windows machine not run slowly? It's the very nature of XP that machines slow as they age, a disturbingly familiar trait. The emails "you have sent spam" are either the result of forged headers or they're traps by bot harvesters to recruit victims.

In other words, these tests have weak sensitivity, very weak specificity, and no predictive value. The advice is worse than worthless because, if followed, it would cause vast expense and produce no value. (ISPs can detect bots however, and they should be held liable for failing to detect and notify.)

Ovarian cancer?

...The symptoms to watch out for are bloating, pelvic or abdominal pain, difficulty eating or feeling full quickly and feeling a frequent or urgent need to urinate. A woman who has any of those problems nearly every day for more than two or three weeks is advised to see a gynecologist, especially if the symptoms are new and quite different from her usual state of health...

Gynecologist? Sigh. Family medicine is truly dead. Anyway, this basically translates to a very inefficient but reimbursable screening program. The symptoms are completely nonspecific, so we're basically doing massive amounts of vaginal ultrasound. It would probably be better to simply start a screening program, but focus on persons with known risk factors. Lots of easy money for gynecologists though. Gee, I wonder who wrote up the recommendation?

MySpace? We've covered that one before. A test with low specificity, low sensitivity, lousy predictive value, and it may be used by law enforcement too. 

Passenger screening? See MySpace. Same techniques, same problems. The new regulations that every US traveler to Canada or Mexico have a passport, aka a true national ID card, will make matches less unreliable however. The test will then become more specific.

Bayes, Bayes, Bayes. We need to start teaching it in 7th grade.

21st century deception and the evolution of the emergent mind

I had two (or is it one?) idiosyncratic talents as a wastrel youth. I had a knack for great boondoggles, and I could, upon a cursory book reading, write a persuasive this-is-connected-to-that high school English essay.

This is one of those connectionist essays. I'm going to claim that many of the themes of this blog, such as

• brain and mind, emergence, enlightenment 2.0, and the intelligence of the mass
• politics, war and the GOP's (many) con jobs
  
• globalization, libertarianism's limits and the the death of the toaster. Not to mention melamine
  
• natural selection in organisms and economics
• the duty the strong owe the weak
• spam and reputation management
• future shock, drm and privacy as a luxury
  

are fundamentally related to the quintessential human activity - the detection and execution of fraud and deception [1]. Quintessential, because it is likely that deceiving and detecting deception played a central role in the evolution of human mind and culture.

My hunch is that each transformation of the human landscape, either by technology or culture, opens new avenues for fraud and deception. I suspect, for example, that if we looked closely we'd find that widespread adoption of printing and reading led to a vast array of newly effective cons and schemes. Print must have been very persuasive in those days; anything that was printed would bypass the fraud detection measures of the pre-print era.

We live now in another golden age of fraud. It's not just the obvious spam driven stock manipulation, the raging identity theft, Hilary's friends at InfoUSA, or even fake gluten, medications, glycerine, and surgical supplies. It's also the vast array of extremely unreliable consumer goods that are so cheap they've eliminated the alternatives, incidentally creating a deceptive inflation picture.

There's a bright side - I hope. We're overwhelmed at the moment, but our children will grow up in this world. They will spot the Bush/Rove cons their parents missed, they will resurrect the concept of a brand reputation and push the fakes back into dark alleys, they'll recognize the limits of "caveat emptor" and resurrect the FDA. Best of all, just as deception detection upgraded brains tends of thousands of years ago, so too will "social" deception detection raise our emergent IQ. Maybe just in time to respond to Sachs call for a new enlightenment.

So I am an optimist, after all. True, the glass is half empty. True, the contents are poisoned. Nonetheless, we will live to quaff again ...

[1] I need to here credit my 1994 UMN cognitive science professor - Paul Johnson. I thought harder and read more in his class than any other in far too many years of education. Dr. Johnson's research focuses on the cognitive science aspects of deception.

Spam: latest innovation - social engineering by consecutive email threads and using process patents as an offensive weapon

Diabolical. Really, any non-geek online doesn't stand much of a chance these days.

The latest innovation in my spam employs an automated incremental social engineering strategy. I received 4 messages over a period of two days from an aol.com address. They went to my junk email account (yahoo.com) but evaded Yahoo's quite good spam filters [Google's filters are also failing recently, must be another new innovation]. They are written to sound like emails sent accidentally to the wrong person, with language and style that's apparently designed to be "appealing"

i'm wondering if you were able to open my card
i didn't realized you called my cell untill my tango class
you won't believe richard called me around 1 pm like nothing happened,
he was asking me if i want to joined him and his friend for dinner
i said i have to prepare my report for trump, and it's true
the man is not all there, i sent him e-mail tonight

The key innovation is that they're progressive and not nonsensical. The early messages are benign, but the later messages include links and images. I imagine the idea is that the recipient is lulled into thinking these are "legitimate" and thus relatively trusted, and eventually responds or interacts with the messages. Then the payload is delivered.

It's easy to imagine how sophisticated these schemes will become.

I've read that spam fighting is now limited by a range of process patents on techniques like 'managed reputation filtering of authenticated sending services'. I wonder if the spammers hold the process patents. It would make sense for a spammer to use process patents to block all possible spam defenses, thereby turning the defective (Bush/Cheney strangled of course) US patent office into an offensive weapon. Rather similar to a pathogen turning an organisms immune system against it.

I expect we'll have to wait for Cheney/Bush to retire before we see any redress.

Spam with real addresses: another revolting development

Blacklists usually have limited value because spammers use bots, fake domains, etc. Lately, however, much of my spam has been coming from real companies and organizations with persistent email addresses. The good news is this spam is trivially easy to blacklist.



On the one tentatcle the legitimization of spam feels like another bit of bad news for our ailing email, but on the other tentacle ever since I figured out how I was making Gmail hate me I've been pleased with its spam filtering. Email is still alive, for now ...

Are process patents a spammers best friend?

Process patent fears are directly responsible, I claim, for six years of arrested progress in digital image formats. Paul Vixie, quoted in O'Reilly Radar, claims they're also responsible for the spam that's destroying email ...

O'Reilly Radar > Another War We're Not Winning: Us vs Spam

...every potential smtp improvement or replacement that could do anything to actually stop spam, has been systematically patented. the crap that's left isn't going to do any good. we're headed for walled gardens...

This seems credible to me. Process patents have a strangle hold on software development. I assume something will break them, but I don't know what.

In the meantime, I'll put spam into the same category as JPEG -- a consequence of a disastrous decision by the US congress to extend patent law into processes, and then to drastically underfund the patent office.

Spam: state of the art report

MSNBC's Rob Sullivan has a spam report. The numbers are indeed staggering. I wonder what percentage of net traffic is made up of "high grade" material -- excluding spam, porn, illegal file sharing etc. I'm guessing it's in the 20-30% range overall. A surprising amount of net traffic now is file sharing, and it's widely believed that almost all of that (by volume) is copyrighted material. Emphases mine.

... Not long ago, there seemed hope that spam had passed its prime. Just last December, the Federal Trade Commission published an optimistic state-of-spam report, citing research indicating spam had leveled off or even dropped during the previous year.

Instead, it now appears spammers had simply gone back to the drawing board. There's more spam now than ever before.

In fact, there's twice as much spam now as opposed to this time last year... About half of all spam sent now is "image spam," containing server-clogging pictures that are up to 10 times the size of traditional text spam. And most image spam is stock-related, pump-and-dump scams which can harm investors who don't even use e-mail. About one-third of all spam is stock spam now.

... There are 62 billion spam messages sent every day, IronPort says, up from 31 billion last year. Now, spam accounts for three of every four e-mails sent, according to another anti-spam firm, MessageLabs.

Image spam is a big part of the resurgence of unwanted e-mail. By using pictures instead of words in their messages, spammers are able to evade filters designed to detect traditional text-based ads. New computer viruses have contributed to the uptick, also, particularly a surprisingly prolific Trojan horse program called "SpamThru" that turns home computers into spam-churning "bots."

... Stock spam is effective because no Web link is required, Cluley said. In old-fashioned spam, criminals generally try to trick recipients into clicking on a link and buying something. Many e-mail programs now block direct Web links from e-mails, rendering click-dependent spam much less effective. But stock messages merely have to make the recipient curious enough about a company to motivate him or her to buy a few shares through a broker.

There is another element that helps perpetuate stock spam, Stark said – he believes speculators unrelated to the original spam sometimes try to “play the momentum” surrounding a spam campaign – either getting in early on a pump-and-dump campaign to profit as shares rise, or by “shorting” stocks, betting that they will fall after the spam campaign flames out.

...

Image spam, which seems not inseparable from stock spam, can arrive entirely devoid of text, but that’s not common. Most messages have what appears to be nonsense text pasted above and below the image. Experts call this "word salad," or "good word poisoning."..

... The word jumble is generally borrowed from news headlines or classic books like Charles Dickens' “David Copperfield,” the text of which are often available online. The seemingly random text actually serves and important purpose -- to foil or confuse word-based spam filtering.

... Spammers continually refine and combine their techniques, said Doug Bowers, senior director of anti-abuse engineering at Symantec. The firm recently found spam attached to legitimate newsletters that appear to be from big companies, including a Viagra ad atop a 1-800-Flowers e-mail newsletter and another on an NFL fantasy league letter. Such e-mails are simply spam masquerading as authentic, with real content borrowed from legitimate companies. They are similar to phishing e-mails, and so are much more likely to be opened by recipients than traditional spam, Bower said...

Natural selection is causing spam to evolve very quickly. We're recreating biological evolution at a frenetic pace. Defense requires more complex algorithms, which lead quickly to more complex attacks. Maybe every technological civilization succumbs when its spam becomes sentient ...

The stock tip churn process may work for quite a while. It will eventually become a contest between spammers and speculators, which each speculator hoping they can hop off fast enough before the "house" calls the game. Of course the spammers will always know more, so they'll always come out ahead. Some speculators will win too, so it will be a lot like going to the casino. In time the spammers will learn to keep the game interesting.

My favorite spam fighting technique, the reputation management of authenticated sending services, works even against spambots. I think this is what Google is doing now, even though they're very quiet about it.

Buy.com: why so much spam?

I get thousands of spams each month. It's extremely rare that any have a valid return address. The exceptions are politicians and Buy.com.

The politicians I understand. Mercifully they have consistent email addresses; a simple entry in my spamcop blacklist takes care of them.

Buy.com I don't get. I was getting one spam a week or so from them, so I clicked on the unsubscribe link. After that I got 3 spams a day - until I finally roused myself to blacklist them.

What the heck were they thinking?

Update 1/18/07: Looks like there were two spam streams, one direct and one through google checkout. My blacklist stopped the direct one, and google checkout supports disabling the mail address they used. So they had me twice. They're toast as far as I'm concerned.

AOL and Yahoo: email down the tubes

AOL has been on a long slow death spiral for about 10 years, but I didn't realize Yahoo was in dire straits until I read this announcement from my ISP:

VISI | Announcements | Difficulty sending mail to yahoo.com or aol.com?

Over the past weeks, it appears that Yahoo has begun grey-listing all (or most) incoming mail. This means that they are rejecting the first mail delivery attempts and telling sending servers to try again later. Yahoo also appears to be grey-listing with content filters. In this case, customers may see the error message: message text rejected by mx1.mail.yahoo.com: 451 This message indicates that suspicious content was detected, but that the sending server may try again.

For mail grey-listed automatically or by IP, users may see: : connect to x.mx.mail.yahoo.com[209.191.aaa.xxx]: server refused mail service You may also see error code 421 in the error response.

Generally, this email is also being retried, however, if retried too soon, it will be rejected again. It may even be rejected permanently by Yahoo with no change in error message that we have found. Yahoo's documentation claims that they are not grey-listing, but instead are filtering mail based upon the sending server's compliance with standard mail practices. Our servers, however, are compliant, but we are still seeing significant deferrals. Yahoo is also testing DomainKeys verification, which we are reviewing to potentially mitigate the problem. There appears to be no way to contact Yahoo about this except via web forms that do not generate any response except confirmation of receipt. We recommend that any users forwarding email to yahoo.com addresses cease forwarding or redirect to another location.

Of course, this affects not only customers forwarding mail to Yahoo, but ANYONE attempting to send mail to Yahoo addresses.

AOL AOL uses an automated system to block mail from potential spam sources. When mail is reported as spam by users, the IP addresses for servers used to transmit the mail are recorded, and, once their limit has been reached, IP addresses are blocked from sending mail to AOL for 24 to 48 hours. This can be exacerbated by VISI customers forwarding email to their own AOL accounts and then reporting any forwarded spam, which can result in temporary blocks of VISI mail server IP addresses. The automated system is COMPLETELY automatic, and no intervention is possible in expediting removal of IP addresses. Unfortunately, this will affect ANY customer attempting to send to AOL addresses, not just forwards to AOL accounts. As with Yahoo, above, we recommend that any users forwarding email to aol.com addresses cease forwarding or redirect to another location.

I ran into a variant of this problem with Gmail. I was redirecting an unfiltered email stream to Gmail, and when I read the mail in Gmail I "marked" the spam. Alas, Gmail looks at the redirect as the source of the email, so the more I marked as spam the lower the reputation of the redirector fell. Over time Gmail marked more and more valid emails as spam, and missed more and more spam. I fixed it by filtering the mail stream, and never marking anything that was redirected as spam (I just delete it).

The Yahoo and AOL bizarre responses to the spam deluge tells us how dire their financial situations are, but I must also say that Visi should have figured out DomainKeys a year ago. Maybe Yahoo is doing this in part to force adoption of DomainKeys; too bad their execution is incompetent.

In the meantime, encourage anyone you know who's still using Yahoo or AOL to get out fast and switch to Gmail.

Update 12/21/06: There's a good defensive strategy for those of us still using SMTP services (non-webmail) btw. Get a Gmail account and configure your dedicated email client to use Gmail's smtp service. If Google is your sending service, I suspect Yahoo and AOL won't be blacklisting the sending domain.