Massive phone spam -- from Weatherby Healthcare

Weatherby healthcare hires physicians for “locum tennis” roles. That’s filling in for someone on holiday and the like.

They’ve contracted with the phone spam company from hell. My Google Voice number is deluged with calls like this (email of transcription):

Good morning. This is Kevin with weatherby Health care. I saw you recently inquired online about some outpatient work. I wanted to touch base with you. I'm currently working with several urgent care and outpatient facilities not only in your area, but throughout the country as well that are looking for a position like yourself to provide temporary full time or sporadic shift coverage they offer a high flexibility in the schedule and competitive pay rates. Give me a call back today would love to give you some additional information and details about these opportunities and see how I can be a resource for you my direct line here is 954 300 77 1821 again. This is Kevin with weatherby Healthcare 954 370-7828 have a great day.

and like this:

is Mike Ruskin weatherby Health Care's primary Care team. Hope you're doing well. I was reaching out to you because I came across your information, and I have some new open a family medicine positions available in Minnesota wanted to see if you or any colleagues should have I might be available. Give me a call back when you get this message. Let me know 954-343-2142 again Mike ross again with weatherby 954-343-2142. Thanks so much. Have a great day. Bye.

I blocked several of the numbers, but their phone spam operation is rotating through a large set. Number blocking doesn’t work.

I’ve turned off text messaging notifications of calls on my GV number and notifications from the GV app and notifications of missed calls. So the only notification I get is now email. In gmail I set a filter for any email with the text “weatherby health” to send it to the trash.

We desperately need a robocall/phone spam solution.

Oh, and if you’re a physician — please don’t answer calls from Weatherby. If you’re Weatherby, you’ve made a disastrous choice of marketing services.

PS. If you’re Google — your Google Voice phone spam filtering needs work.

The evolution of spam: Nordstrom and mandatory spam acceptance

We've come a long way baby.

A year ago Nordstrom's began offering optional email receipts as "a convenient, environmentally friendly alternative to paper receipts."

Of course there are alway a few skeptics who doubted Nordstrom's integrity, but USA Today was reassuring

Retailers ditch paper and pen, use email for receipts - USATODAY.com

... no retailer serious about building a relationship with its customers would consider taking advantage of email access, said John Talbott, assistant director of Indiana University's Center for Education and Research in Retailing.

That's because for the retailer, the most significant benefit is being able to offer a service customers appreciate, he said. It isn't about cutting costs, he said, as less than 1% of a retailer's total revenue goes toward paper and ink for receipts.

Instead, the driving force is providing an option that makes the store a more appealing place to shop...

Yesterday Emily bought a shirt at Nordstrom's. The email receipt, she was told, was mandatory. No, of course there'd be no spam. She doesn't have a spam account, so she gave them her gmail account.

She got her first Nordstrom spam a few hours later. I'll show her how to use filters later today.

Not to worry though, paper receipts are not long for this world. Soon we'll be buying things with our phones. No spam there, since of course there's no tie between our phone's unique identifier and our email and phone number.

Friendly fire - how Dem spam killed my donations

I'm a good commie. Each cycle we  give some money to help Dems.

Not this election though. Partly, that's because my team's spam has gone astronomical. The spam flow is legal though, because "political speech" isn't covered by the CAN-SPAM act of 2003.

Campaign spam comes with 'unsubscribe' links, but they don't seem to be connected to anything. Even if they were, however, I'd probably be re-enrolled with the next list update. I doubt the campaigns spend much on mailing list hygiene.

At least the email headers aren't faked, so I have about thirty Gmail filters that send all email from all identified campaign-related domains to the trash. I'm probably not the only one doing this though, because lately the domain names are proliferating. The speech spammers are trying to get around my filters.

This is a job for the DFL. Yes, it's a bit of a reach for them -- but we're talking money. Money talk gets politician's attention. Here's what the DFL can do:

1. Get serious about a state wide unsubscribe service. Tell campaigns that if they don't follow the rules, they don't get funding or DFL support.
2. Forget about reaching me by email. There's nothing a politician can put in a mass email that will interest me (the vast majority of political speech is aimed at the undecideds). Instead set up narrowcast feeds aimed at literate geeks whose vote is not in doubt.
3. Enjoy the money Emily and I will send after the spam stops.

Google's two factor authentication and why you need four OpenID accounts

My Google account was hacked two weeks ago, so today Google is deploying two factor authentication to (paid) Google Apps.

What, you think that's coincidental? You underestimate my power (cue mad laughter).

This is a good thing, but it won't prevent a keystroke logger from pinching your password if you use an insecure (ex: XP) machine. On the other hand, maybe I'll switch to a trivial password and just rely on the more robust 2nd factor.

Which brings me to OpenID and OAuth. In my latest post-hack "what am I doing" post I warned against OpenID. The only thing worse than losing a critical password to keystroke logging is losing a critical OpenID password.

Since then I've been thinking about where we're going, and I think there's a place for OpenID/OAuth and two factor authentication.  More specifically, there's a role for multiple OAuth (I'll drop the /OpenID for now) accounts - one for each of the five credential classes.

What's a credential class? Think  in terms of how you'd feel about someone taking your credentials ...

I: You want it? Take it.

II: I'd rather you didn't.

III: Help!! Help!! 

IV: I'll fight you for it.

V: Kreegah bundolo! Kill!! 

We need a master account with Category V security. The One Ring account has two factor authentication and a robust reset procedure that might involving banks and other identity authentication services. It may be tied to a strong identity as well, but that's another post. You only enter these Category V credentials on a secure machine and an encrypted connection. The Master Account can be used to override and change the passwords on lesser accounts.

From the master account we have four other credentials (un/pw combinations), each with OpenID/OAuth services.

The Class IV credential service is what we use with Gmail and a range of high-end OpenID/OAuth services like banks. We enter these credentials only on a secure machine - but there's a degree of comfort from having a Class V account that can change passwords. On less secure machines maybe we use two factor authentication.

The Class III credentials are what we use anywhere that has credit card capabilities. Use these for Amazon and iTunes.

Class II credentials are for your spam only Yahoo email and the New York Times.

Class I credentials are for the Minneapolis Star Tribune.

In a world of widespread OAuth/OpenID type services and this type of master account we really need to know five passwords, and only three of them have to be decent passwords. We can manage that.

This is where we will go.

We can do it now of course, by setting up five Google accounts. It will probably get a lot easier when Google Apps start providing full Google account services for each user, with optional two factor authentication.

In fact, this is so simple I'm surprised MyOpenID doesn't do it already.

Maybe in two weeks.

After the Google Hack: Life in the transparent society

My Google Account (Gmail and more) was hacked on 9/3/10, a day before I wrote about the risks of online backup.

I had a 99th percentile password. It had six letters, four numbers, no words or meaningful sequences. It wouldn't be in a dictionary. On the other hand, like Schneier and other security gurus, I didn't change it often. I also had it stored locally on multiple desktop and iPhone apps. As far as I know it wasn't stored on any reasonably current web app.

If my password had been a bike lock, it would have been one of those high end models. Enough to secure a mid-range bike on the principle that better bikes with cheaper locks were easy to find.

That wasn't enough. For some reason a pro thief [2] decided to pinch my mid-range bike. They didn't do any damage, they didn't seem to send spam [1]. They seem to have unlocked my bike, peaked around, and locked it again.

Why would a pro bother? Trust me, I lead an intensely narrowcast life. It's interesting to only a few people, and boring to everyone else.

On the other hand, it wasn't always so. "I coulda been a contendah." I knew people who have had interesting lives, I still correspond with some. If a pro was interested in me, it was most likely because of someone like that. My visitor was probably looking for correspondence. Once they found it, or confirmed my dullness, they wouldn't have further interest in me.

Fortunately even that correspondence is quite dull.

I've changed my password. The new one is 99.9th percentile. Doesn't matter, I doubt I'm much more secure.

This isn't a complete surprise. Passwords died as a high end security measure about ten years ago. What's more surprising, except in retrospect, is that you don't have to really do anything or be anybody to get some high end attention. You only have to be within 1-2 degrees of separation of someone interesting. Security and "interest" are "social"; even a dull person like me can inherit the security risk of an interesting acquaintance or correspondent.

Welcome to the transparent society. If you put something in the Cloud, you should assume it's public. Draw your own conclusions about the corporate Cloud business model and online backup, and remember your Gmail is public.

footnotes --

[1] Of course they could erase the sent email queue, but I haven't gotten any bounce backs. Anyway, there are much easier ways to send spam.
[2] Russian pro, Chinese government equivalent, etc. Why pro? Because the hacker didn't change my password after they hacked the account, they didn't trash anything obvious, they didn't send out spam, and the access was by an abandoned domain. I'm not vulnerable to keystroke logger hacks except at my place of employment and wifi intercepts are relatively infrequent. Still, it's all probabilities.

Good-bye Buzz – for now.

I’ve clicked the link at the bottom of my Gmail account to discontinue Google Buzz.

I was initially enthusiastic because of the value of Google Reader notes – a precursor to Buzz. I hoped Google would fix the notes confusion/neglect while also giving me a better version of Twitter.

Instead, Google’s most senior leadership, the people leading and testing Buzz, blew it big time. They failed to understand the multiplicity of adult identities. All I can guess is that Brin et al are so wealthy and powerful that they have become fundamentally disconnected from mainstream reality.

I gave Google some time to recover, but they’re only playing around the edges. Google remains determined to tie all Buzz discussions directly to a user’s public Google Profile, perhaps as a way to manage spam and to drive search/marketing revenue.

Disappointing, but I’ll be back if they fix it.

Update: Even though I've removed Buzz via Gmail, my Buzz posts still appear on my Google Profile. Not funny Google.

Update 2: I've reversed the procedure that made my Profile searchable. It's non-intuitive, but the "Display my full name..." setting in "edit profile" toggles searchability. When unchecked a Google Search on a my name no longer returns my profile. The profile URL has not changed and prior links still show the public view. That public view still includes Buzz posts even though I've disabled Buzz support in Gmail. I've removed other information from my Google Profile and I expect I'll continue to trim the profile unless Google has a dramatic conversion.

Update 2/17/2010: In depth critique - with cartoon. Credit for focus on the Profile.

It's not over. The rise of second generation spam.

First generation spam was pretty bad, but it's more or less under control now. Between sharpening spam recognition algorithms, crowd sourcing, and managing the reputation of authenticated sending services Google has beaten back the tide.

So that's it for spam?

Heh. Of course not. Now we have second generation spam.

Second generation spam does not use forged headers -- though the headers do seem to change a fair bit. This spam is not anonymous, it markets real goods, services - and politicians.

The goods and services aren't too hard to manage. I created a filter that sends anything from "buy.com" to the trash -- that took care of 80% of it.

The politicians are much worse. I get daily spam from fund raising politicos, PACs and other accessories to the political process. I now have about 25 Gmail filters that do nothing but delete all incoming email from their domains. The domains typically last a few months, and then there's a new crop. At this rate I'll have 200+ Gmail filters that delete email from largely defunct domains.

What? Ask to be removed from the lists? Clearly you're just toying with me. I tried that of course, but it doesn't work. I just get added back in they next time some politico buys a list. (Maybe I should start forwarding to spam@uce.gov as well?)

It's hard for any ISP to block this kind of spam. Politicians generally exempt themselves from laws that slow fundraising; if Google blocked their spam they'd be asking for a world of hurt. Better to get between a Grizzly and her cub than between a politician and your wallet.

We need a different approach to political spam. Sorry, I have to vote for some these dorks -- better spam than Palin and her ilk! So changing my vote's not enough. Any ideas?

I do have one quick fix. Google could add a "blacklist all from this domain" to the message action select menu. Choose it and the message is deleted and the blacklist entry created in a one move.

Another related fix -- allow Gmail users to share their blacklists. So Google wouldn't get in trouble, because we'd be choosing what block.

Any other ideas?

Death of email part XI: forwarded emails with big red phishing warnings

I own a few domains, including a Google Apps domain we use for our family [1]. My immediate family members, excluding Kateva (canid), have calendars and emails in the family domain. Overall, it works pretty well. It pounds Apple's warped MobileMe into the sand. Savagely.

For reasons that aren't worth trying to describe, I've used an email redirector for some of these accounts. This is forwarding at the domain level, not forwarding from an email account.

This used to work pretty well, but when I tested it on a new account two problems appeared:

1. It was filtered to Google spam.
2. A BIG RED PHISHING warning appeared when I opened the email.
   

I was able to correct this by marking it as 'not spam' and 'not phishing' (the UI for the latter is a bit non-obvious, I had to follow the help link in the phishing notice).

This is a great example of the tech churn meme I wrote of yesterday. Email is in a troubled state as it painfully moves from the old world of the naive net to the new world of authenticated messaging [2].

This redirect mechanism is clearly not going to work, perhaps because the redirecting domain has been used by spammers in forged email headers [3].

Ouch. This is definitely a problem. I have some workaround ideas, but this will be a bugger to test since Google doesn't talk much about what it's doing.

--

[1] Free edition. If google drops the price on their small business product I'd upgrade to get some customer support options.
[2] One reason people like facebook messaging is that it's deeply authenticated.
[3] The curse of old, private, domains. Mine is very old. There's no defense against such forgery. See also two 2006 posts about a related problem (this isn't new)

• Gmail spam filtering threatens services
• Spam - blacklists are back

Conde Nast's latest spam ploy - Axciom's Delivery.net

Conde Nast, publishers of Gourmet and other periodicals, holds a place of dishonor among the world's scummiest spammers. It will be a sad commentary on humanity if the New York Times goes under and Conde Nast survives.

Spam must work for them, because they invest a fortune in spam and associated legal fees. They're not too hard to block; even though they change their email address every few months it's only a moments work to add another Gmail 'filter to trash' rule.

Today, though, they're trying something knew. They're sending their email using a "delivery.net" account with a dedicated spamming service:

Acxiom Digital

... Acxiom Digital helps the world's leading marketers create and deliver permission-based email marketing campaigns. Acxiom Digital acts as an agent for our clients in delivering email communications to their customers. Our clients own the data on their customers, including email addresses, which are gathered via permission-based processes at their website or other online and offline sources...

"Permission-based" my ass.

So now anything from 'delivery.net' is immediately deleted. It will be interesting to see what email address Conde Nast uses next.

Friends don't let friends buy Conde Nast products.

Pogue reveals the GrandCentral/Google Voice matters I've missed

I've used GrandCentral and GrandDialer for months to call Canada free of charge. That alone paid for my iPhone's data service.

I didn't use any other GrandCentral features, mostly because they didn't seem that impressive.

Turns out, I was missing quite a bit. David Pogue, who's name is a hallmark for excellence in technology writing, fills in a heck of a lot of the gaps today. Read the entire article (emphases mine).

One thing Pogue diplomatically omits is that if you put your GC number on your business card your number will follow you even after you turn in your corporate cell phone ...

State of the Art - Unify the Phone Numbers and All Else Follows - Pogue - NYTimes.com

... Google Voice began life in 2005 as something called GrandCentral...GrandCentral’s solution was to offer you a new, single, unified phone number, in an area code of your choice. Whenever somebody dialed your uni-number, all of your phones rang at once...

... Each time you answered a call, while the caller was still hearing “one ringy-dingy, two ringy-dingies,” you heard a recording offering four ways to handle the call ... This subtle feature saved time, conserved cellular minutes and, in certain cases, avoided a great deal of interpersonal conflict.

GrandCentral also let you record a different voice mail greeting for each person in your address book..

... You could also specify which phones would ring when certain people called. ...you could even tell GrandCentral to answer with the classic, three-tone “The number you have dialed is no longer in service” ...

... Any time during a call, you could press the * key to make all of your phones ring again, so that you could pick up on a different phone in midcall. If you were heading out the door, you could switch a landline call to your cellphone.

GrandCentral also offered telemarketing spam filters, off-hour call blocking (“never ring my BlackBerry on weekends”), and a dizzying number of other functions...

... Google Voice starts with a clean, redesigned Web site that looks like an in-box, à la Gmail. It maintains all of those original GrandCentral features — but more important, introduces four game-changing new ones.

FREE VOICE MAIL TRANSCRIPTIONS ... the Web site displays transcribed words more faintly (light gray) when it is less confident about the transcription. Fortunately, it generally nails numbers — phone numbers, arrival times, addresses...

FREE CONFERENCE CALLING ...

... DIRT-CHEAP INTERNATIONAL CALLS If you dial your own Google Voice number from one of your phones, you’re offered an option to call overseas at rates even lower than Skype’s (and much lower than your cellphone company’s): 2 cents a minute to France or China, 3 cents to Chile or the Czech Republic. Sweet.

TEXT MESSAGE ORGANIZATION .. Google Voice, however, does the right thing: it sends text messages to whichever cellphones you want — even multiple phones simultaneously.

Even more important, it collects them in your Web in-box just like e-mail. You can file them, search them and, for the first time in cellphone history, keep them. They don’t vanish forever once your cellphone gets full.

You can also reply to them with a click, either with a call or another text; your back-and-forths appear online as a conversation.

... You can, if you wish, turn off that “press 1, press 2” option, so when the phone rings, you can just pick it up and start talking. Google has also done some Googlish integration; for example, your Gmail and Google Voice address books are the same.

... As a side effect of Google Voice’s ring-all-phones-at-once technology, you sometimes find fragments of Google Voice error recordings on the answering machines of the phones you didn’t answer. (Solution: make your voice mail greeting at least 15 seconds long.) There’s a learning curve to all of this, too...

The downside for me? Now I have to pay for my calls to Canada. Still, a great bargain.

I LOVE the address book integration. I'm looking forward to Google's iPhone client, which is pretty much a sure thing.

And whey they add Google Video Chat and Gmail integration ...

I wonder what the phone companies did to piss off Google.

Update: Never fails. As of this moment GrandCentral isn't recognizing my un/pw. It worked this morning. Since I had a gmail account for email and a spamcop.net username I have a bad feeling about where the bug is.

Update: I guessed right about the bug, so I was able to fix it. The account info page on GC still shows my old username, it just doesn't work any more.

Apple had a similar problem recently. I wonder if this has any intersection with a recent Google bug that transiently locked me out of my entire Google identity!

Update 3/13/09: Some mobile phone plans have unlimited calling for 'friends and family' numbers. So if the GrandCentral number is 'friend and family' ...

The unreliability of email - Apple MobileMe and Spamcop.net

Apple's been secretly blocking MobileMe email sent to spamcop.net.

So that desperate email for help your daughter sent you? She doesn't know you didn't get it.

Since Spamcop is a prime generator of anti-spam blacklists, Apple may be doing this for fear a MobileMe account bot will put me.com on a blacklist. If the covert block is policy rather than a bug, it's one more reason to despise Apple and pray for the success of the gPhone.

Other than the reinforcing the folly of trusting Apple, this (again) teaches us that email is an unreliable message stream. Adding silent outgoing mail blocks to false positive spam blocks is a straw tossed atop an already broken camel. Snail mail is significantly more reliable.

For my part, I've had a spamcop.net address for at least six years, but even before this happened I'd decided I needed to deprecate it. In a year or two I'll discontinue the account.

I'm deprecating my spamcop email in an effort to decrease the complexity, and thus increase the reliability of my email stream. The details are too tedious to describe here, but briefly I've decided I need a multi-mode signed sending address from a 900 pound gorilla domain (gmail.com basically), a single personal blacklist to maintain, a strong identity tie to email, and to eliminate redirects of incoming email. It helps that after a very long, hard, development path, Gmail's spam filtering is now very good.

Splog war friendly fire - Google whacks me for the sins of others

I think I now see why the indexing speeds of my kateva.org pages wax and wane...

Gordon's Tech: The hidden curse of spam blogs - collateral damage

I've noticed an unhappy correlation.

Periodically spam blogs (splogs) will start harvesting my posts.

When they do that, email from kateva.org begins to be filtered into Gmail's spam folders, my Google PageRank falls, and the site is indexed less often.

When the splogs move on to another victim, things reverse.

I'm just collateral damage.

Ouch.

What hurts the most, really, is the decreased indexing. I like being able to search my memory collection.

Splogs fraudulently assume a part of my "data signature", so Google assigns a part of their reputation to me. Google knows "me", after all, only by my data.

It's a new form of identity theft, one that biologists would readily understand.

In the end I'm collateral damage; splog wars between Google's and the parasites are damaging my reputation -- and my memory.

Cyberwar is heck.

So, what do I do about it?

Update 8/18/08: Here's one view of the splog effect -- it's a list of splog posts generated in the past few hours from recent Gordon's Tech articles




Google is not yet omniscient. All it knows is that these posts are found here -- and in some very bad neighborhoods. We are the reputation of our data.

Is Google winning the spam wars?

I've posted on Gmail and spam fairly often. A year ago things looked pretty bad, but then I realized that my email redirection was poisoning the domain reputation algorithms Gmail used back then.

From Sept 1996 through July 2007 Gmail's spam filtering was doing pretty well, but in July they had a serious screwup. Mercifully by August it was under control and the results have been great for three months.

It seems Google's Gmail team has also noticed things are going well, today they declared light at the end of the tunnel. Google OS followed up with a bit more detail:

... Many Google teams provide pieces of the spam-protection puzzle, from distributed computing to language detection. For example, we use optical character recognition (OCR) developed by the Google Book Search team to protect Gmail users from image spam. And machine-learning algorithms developed to merge and rank large sets of Google search results allow us to combine hundreds of factors to classify spam," explains Google. "Gmail supports multiple authentication systems, including SPF (Sender Policy Framework), DomainKeys, and DKIM (DomainKeys Identified Mail), so we can be more certain that your mail is from who it says it's from. Also, unlike many other providers that automatically let through all mail from certain senders, making it possible for their messages to bypass spam filters, Gmail puts all senders through the same rigorous checks...

For years I've written that the way to defeat spam was through differential filtering based on the managed reputation of the authenticated sending service. This little blurb is consistent with Google implementing that approach.

Today about 70% of Google's incoming mail is spam -- but that's an improvement! It used to be closer to 80%. Excluding a weird 2004 bump this is the most prolonged drop in three years.

My inbox is looking pretty good, and I hardly ever find anything in the spambox now (though I only scan about 20% of what I delete, I get a huge amount of spam).

Gee. I have something nice to say about Google!

Problems in Google-land: Gmail, Blogger and do you really trust Web 2.0?

Last week a bad update broke Google's BlogThis! tool. It took them a week to fix it, and there was never any official notification of the problem, though Google's support people did post in response to numerous help group complaints.

This week Gmail's spam filter is malfunctioning. The "whitelist" functionality is broken and it's miscategorizing email. I tried to post about this on the Gmail Group but the "problem" group is down (really, I'm not joking, they're out of order). Users who get large volumes of spam will inevitably lose email in the mess.

Google has not provided any notification on any blog, or on their help page, of the Gmail malfunction. (They did provide notification us that the Gmail Help Group is down, but that's rather obvious.)

It's the failure to notify, more than the bugs, that really concerns me. Google is not treating their customers respectfully.

The foundation of "Web 2.0" apps (what we once called "application service provider") is trust in the service provider. The "web 2.0" model doesn't need to be perfect -- all software has bugs and local hard drives fail, so traditional "owned" software models have their own problems. The "web 2.0" model does, however, require trust, and trust requires respect.

If Google can't respect their customers, who can? What does this say about all the other web 2.0 services that we increasingly rely upon?

Yahoo! filters gmail invites as spam

Old news, I'm sure, but given the slow and awful implosion of Yahoo! it's worth a smile.

If you send a gmail invite to Yahoo!, Yahoo!'s usually excellent spam filters mistakenly mark it as spam.

Gee, isn't that funny.

Yahoo! is dead.

Spam with real addresses: another revolting development

Blacklists usually have limited value because spammers use bots, fake domains, etc. Lately, however, much of my spam has been coming from real companies and organizations with persistent email addresses. The good news is this spam is trivially easy to blacklist.



On the one tentatcle the legitimization of spam feels like another bit of bad news for our ailing email, but on the other tentacle ever since I figured out how I was making Gmail hate me I've been pleased with its spam filtering. Email is still alive, for now ...

AOL and Yahoo: email down the tubes

AOL has been on a long slow death spiral for about 10 years, but I didn't realize Yahoo was in dire straits until I read this announcement from my ISP:

VISI | Announcements | Difficulty sending mail to yahoo.com or aol.com?

Over the past weeks, it appears that Yahoo has begun grey-listing all (or most) incoming mail. This means that they are rejecting the first mail delivery attempts and telling sending servers to try again later. Yahoo also appears to be grey-listing with content filters. In this case, customers may see the error message: message text rejected by mx1.mail.yahoo.com: 451 This message indicates that suspicious content was detected, but that the sending server may try again.

For mail grey-listed automatically or by IP, users may see: : connect to x.mx.mail.yahoo.com[209.191.aaa.xxx]: server refused mail service You may also see error code 421 in the error response.

Generally, this email is also being retried, however, if retried too soon, it will be rejected again. It may even be rejected permanently by Yahoo with no change in error message that we have found. Yahoo's documentation claims that they are not grey-listing, but instead are filtering mail based upon the sending server's compliance with standard mail practices. Our servers, however, are compliant, but we are still seeing significant deferrals. Yahoo is also testing DomainKeys verification, which we are reviewing to potentially mitigate the problem. There appears to be no way to contact Yahoo about this except via web forms that do not generate any response except confirmation of receipt. We recommend that any users forwarding email to yahoo.com addresses cease forwarding or redirect to another location.

Of course, this affects not only customers forwarding mail to Yahoo, but ANYONE attempting to send mail to Yahoo addresses.

AOL AOL uses an automated system to block mail from potential spam sources. When mail is reported as spam by users, the IP addresses for servers used to transmit the mail are recorded, and, once their limit has been reached, IP addresses are blocked from sending mail to AOL for 24 to 48 hours. This can be exacerbated by VISI customers forwarding email to their own AOL accounts and then reporting any forwarded spam, which can result in temporary blocks of VISI mail server IP addresses. The automated system is COMPLETELY automatic, and no intervention is possible in expediting removal of IP addresses. Unfortunately, this will affect ANY customer attempting to send to AOL addresses, not just forwards to AOL accounts. As with Yahoo, above, we recommend that any users forwarding email to aol.com addresses cease forwarding or redirect to another location.

I ran into a variant of this problem with Gmail. I was redirecting an unfiltered email stream to Gmail, and when I read the mail in Gmail I "marked" the spam. Alas, Gmail looks at the redirect as the source of the email, so the more I marked as spam the lower the reputation of the redirector fell. Over time Gmail marked more and more valid emails as spam, and missed more and more spam. I fixed it by filtering the mail stream, and never marking anything that was redirected as spam (I just delete it).

The Yahoo and AOL bizarre responses to the spam deluge tells us how dire their financial situations are, but I must also say that Visi should have figured out DomainKeys a year ago. Maybe Yahoo is doing this in part to force adoption of DomainKeys; too bad their execution is incompetent.

In the meantime, encourage anyone you know who's still using Yahoo or AOL to get out fast and switch to Gmail.

Update 12/21/06: There's a good defensive strategy for those of us still using SMTP services (non-webmail) btw. Get a Gmail account and configure your dedicated email client to use Gmail's smtp service. If Google is your sending service, I suspect Yahoo and AOL won't be blacklisting the sending domain.

Google Spreadsheets: the next Gmail?

Google hit a home run with Gmail, despite my personal problems with its spam management.

Looks like they may be equally serious about Google Spreadsheets, judging by what they're adding. For many home users this is plenty of functionality, this will probably be my wife's spreadsheet and a shared workspace for quite a few things we do (lists, schedules, etc).

It's time for me to create an internal family page with links to key web apps and services that we'll use on our home network and remotely -- a kind of shared application space.

Spam: blacklists are back, and the war may be turning

I didn't expect to have anything good to say about the spam wars after my recent Gmail meltdown. Surprise.

It began when I finally accepted that Google is a set of adaptive algorithms rather than a traditional corporation. That meant I could sit back and rethink things. Google was malfunctioning because I had redirected an unfiltered mailstream at Gmail, and Google seems to be effectively doing something I'd asked for years ago: selective filtering based on the managed reputation of an authenticated sending service. In this case Google was treating the 'sending service' as my redirector (which I don't think authenticates), rather than the distal source of the email. That meant faughnan.com acquired a reputation, from Google's perspective, as a really bad place.

Well, I can't be too mad if they're doing what I'd long urged everyone to do. It would have been nice if I'd known about it earlier, but them's the breaks. Don't do redirection to Gmail and expect it to like you for long.

So I turned off all the redirects, forwarded from Gmail to my ISP (VISI), flowed faughnan.com and spamcop.net to VISI's Postini service, and finally dropped all my email lists. Lists are very 20th century, this is the age of subscription/notification (Atom/RSS). Good-bye lists. The world calmed down.

With all the lists gone, and postini churning away, it was interesting to see what spam got through. Lots of political solicitations (Note to dems: you can get my money again when you stop spamming me) and various incredibly annoying newsletters. What they all had in common were that the domains were real. Yes, spam with persistent, verifiable, domains.

Some had unsubscribe links and some of those even worked -- though my experience with the political spam is that one's email gets back on their lists shortly after it's removed (recycled by the trading of addresses), just as in the world of physical junk mail. No matter, because with persistent and verifiable domains, personal blacklists work.

I've blacklisted 9 domains, all of whom have failed multiple unsubscribe attempts, and with postini and these few filters, my spam is gone. (Note Gmail filters will do this easily too).

1. mail.united.com
2. itw.itworld.com
3. theclubbingforum.net
4. travelmole.net
5. trustmakers.com
6. emaillabs.com
7. peakperformancellc.com

I have less spam in my inbox than I've had for five years. Wow. Sure my postini spambox has hundreds of entries, but I've reviewed them -- all spam, no false positives.

The war, dare I say, is turning. Next step, once I've verified with spamcop, is going to be to redirect my mailstream through spamcop and back into Gmail, which will then be receiving a "purified" stream. I'm hoping Gmail will "learn" that the domain has been "rehabilitiated". Gmail can forward copies to my VISI account, so I'll be back to having a local store of my email as well. Updates to follow.

Update 9/22/06: Spamcop approved my plans and Gmail is back in the loop. This is the current setup:

• several less used email accounts, including an ancient mindspring account, all forward to faughnan.com
• my faughnan.com email forwards to my spamcop.net address where the heavy filtering occurs. I
  
• my spamcop address forwards to my gmail address, that's where I keep a set of blacklist filters as above
  
• my gmail account keeps a copy and forwards to my visi.com address
• I use POP and IMAP on various machines to view and collect email from visi.com

So the mail I'm forwarding to Gmail is now cleansed by spamcop, which does a pretty darned good decent job. This also means that faughnan.com is no longer the proximal forwarding account, so what spam there is should count against it. BTW, a good tip for creating a "secret" mailbox like the visi account I use for POP services -- use GRC Passwords to create the username, something like "1E22F67AFD3116925A". That prevents spammers "guessing" the username and putting spam through.

Update 10/4/06: Since my original post, a few updates:

• spamcop does a decent job, but not quite as good as VISI's postini. I may try moving their spamassassin settings up a notch (default is minimal, spamcop is very domain focused)
• I added a Gmail filter so that email sent directly to my Gmail address gets a unique tag. Since only spammers and Gmail use that address it helps me quickly identify spam. More importantly, it's safe to mark email sent directly to my Gmail account as spam. If spam gets redirected to my Gmail account I delete it, I don't mark it "as spam". I think if I mark redirected email as spam Gmail assigns a poor reputation to the redirector, which I don't want.
• I'm now getting about 3-4 spams in my Gmail inbox daily, of which 75% is spam that passed through the spamcop filters. I'll see if I can improve that a bit but it's tolerable.

Update 9/6/09: An updated version of the problem. In the years since I wrote this I've taken Spamcop out of the picture, but a new quirk may have arisen.

Be evil: Gmail, spam, data lock and a digital identity bill of rights

My Gmail acount is dying of dysfunctional spam filtering. Too bad. Well, I can just delete it and start over. After all, I've always been careful to keep a local repository of all my email -- I don't have to try to download via POP tens of thousands of messages. I don't even need my Gmail address, I only ever give out personal email addresses that redirect to Gmail. I've been so careful to maintain a layer of indirection ... or have I?

Ahh. Not so fast. Google checkout (purchase records), Picasa Web Albums (just paid $30 for the 9GB storage), Google Earth (I have the upgrade account, also $30 or so), my search history, my Google spreadsheets, my Google Apps -- there's are now 15 services inextricably linked to my Google digital identity -- and Gmail is the core of that identity. Soon my blogs, including this one, will move to that identity. Some of this data can be extracted, much cannot.

So can I keep the Gmail account in a sort of moribund state, setting spam filtering to an extreme level? No, Gmail doesn't allow one to control spam filtering. Yahoo email does, Gmail does not. You get the default.

It's a nasty situation. I'm wed to Google, but my bride is demonstrating sociopathic tendencies. Divorce is very expensive. Such are the perils of "data lock", but ownership of digital identity is worse than conventional "data lock" -- it starts to smell a bit like indentured servitude.

We need a digital identity bill of rights. I'll write more on this, but here are two a list off the top of my head:

1. Digital identity must be portable using a well defined public standard.
2. Digital identity must be independent of services. In other words -- there's a layer of indirection between my digital identity and my email account, my credit card account, my eCash account ...
   

Only two requirements, but it's a start. It means that neither Google nor Microsoft nor my credit card company nor my checking account can own my digital identity. They may host my digital identity, but I need to be able to migrate it, with appropriate authentication, to another host without breaking the associated services.

Google, unwittingly or with full knowledge, is now Evil. How can Google become less evil? They could adopt the Digital Identity Bill of Rights. The first step would be to separate a user's Gmail address from Google's digital identity, the next step would be to adopt and define an open standard so that Google customers could opt to migrate to another Digital Identity host.

If Amazon, Yahoo, or even Microsoft were to adopt this Bill of Rights, they'd get my business. I think Amazon would be my first choice.

Update 9/22/06: But then things began looking better ...