Spam: blacklists are back, and the war may be turning

I didn't expect to have anything good to say about the spam wars after my recent Gmail meltdown. Surprise.

It began when I finally accepted that Google is a set of adaptive algorithms rather than a traditional corporation. That meant I could sit back and rethink things. Google was malfunctioning because I had redirected an unfiltered mailstream at Gmail, and Google seems to be effectively doing something I'd asked for years ago: selective filtering based on the managed reputation of an authenticated sending service. In this case Google was treating the 'sending service' as my redirector (which I don't think authenticates), rather than the distal source of the email. That meant faughnan.com acquired a reputation, from Google's perspective, as a really bad place.

Well, I can't be too mad if they're doing what I'd long urged everyone to do. It would have been nice if I'd known about it earlier, but them's the breaks. Don't do redirection to Gmail and expect it to like you for long.

So I turned off all the redirects, forwarded from Gmail to my ISP (VISI), flowed faughnan.com and spamcop.net to VISI's Postini service, and finally dropped all my email lists. Lists are very 20th century, this is the age of subscription/notification (Atom/RSS). Good-bye lists. The world calmed down.

With all the lists gone, and postini churning away, it was interesting to see what spam got through. Lots of political solicitations (Note to dems: you can get my money again when you stop spamming me) and various incredibly annoying newsletters. What they all had in common were that the domains were real. Yes, spam with persistent, verifiable, domains.

Some had unsubscribe links and some of those even worked -- though my experience with the political spam is that one's email gets back on their lists shortly after it's removed (recycled by the trading of addresses), just as in the world of physical junk mail. No matter, because with persistent and verifiable domains, personal blacklists work.

I've blacklisted 9 domains, all of whom have failed multiple unsubscribe attempts, and with postini and these few filters, my spam is gone. (Note Gmail filters will do this easily too).

1. mail.united.com
2. itw.itworld.com
3. theclubbingforum.net
4. travelmole.net
5. trustmakers.com
6. emaillabs.com
7. peakperformancellc.com

I have less spam in my inbox than I've had for five years. Wow. Sure my postini spambox has hundreds of entries, but I've reviewed them -- all spam, no false positives.

The war, dare I say, is turning. Next step, once I've verified with spamcop, is going to be to redirect my mailstream through spamcop and back into Gmail, which will then be receiving a "purified" stream. I'm hoping Gmail will "learn" that the domain has been "rehabilitiated". Gmail can forward copies to my VISI account, so I'll be back to having a local store of my email as well. Updates to follow.

Update 9/22/06: Spamcop approved my plans and Gmail is back in the loop. This is the current setup:

• several less used email accounts, including an ancient mindspring account, all forward to faughnan.com
• my faughnan.com email forwards to my spamcop.net address where the heavy filtering occurs. I
  
• my spamcop address forwards to my gmail address, that's where I keep a set of blacklist filters as above
  
• my gmail account keeps a copy and forwards to my visi.com address
• I use POP and IMAP on various machines to view and collect email from visi.com

So the mail I'm forwarding to Gmail is now cleansed by spamcop, which does a pretty darned good decent job. This also means that faughnan.com is no longer the proximal forwarding account, so what spam there is should count against it. BTW, a good tip for creating a "secret" mailbox like the visi account I use for POP services -- use GRC Passwords to create the username, something like "1E22F67AFD3116925A". That prevents spammers "guessing" the username and putting spam through.

Update 10/4/06: Since my original post, a few updates:

• spamcop does a decent job, but not quite as good as VISI's postini. I may try moving their spamassassin settings up a notch (default is minimal, spamcop is very domain focused)
• I added a Gmail filter so that email sent directly to my Gmail address gets a unique tag. Since only spammers and Gmail use that address it helps me quickly identify spam. More importantly, it's safe to mark email sent directly to my Gmail account as spam. If spam gets redirected to my Gmail account I delete it, I don't mark it "as spam". I think if I mark redirected email as spam Gmail assigns a poor reputation to the redirector, which I don't want.
• I'm now getting about 3-4 spams in my Gmail inbox daily, of which 75% is spam that passed through the spamcop filters. I'll see if I can improve that a bit but it's tolerable.

Update 9/6/09: An updated version of the problem. In the years since I wrote this I've taken Spamcop out of the picture, but a new quirk may have arisen.

Is Google winning the spam wars?

I've posted on Gmail and spam fairly often. A year ago things looked pretty bad, but then I realized that my email redirection was poisoning the domain reputation algorithms Gmail used back then.

From Sept 1996 through July 2007 Gmail's spam filtering was doing pretty well, but in July they had a serious screwup. Mercifully by August it was under control and the results have been great for three months.

It seems Google's Gmail team has also noticed things are going well, today they declared light at the end of the tunnel. Google OS followed up with a bit more detail:

... Many Google teams provide pieces of the spam-protection puzzle, from distributed computing to language detection. For example, we use optical character recognition (OCR) developed by the Google Book Search team to protect Gmail users from image spam. And machine-learning algorithms developed to merge and rank large sets of Google search results allow us to combine hundreds of factors to classify spam," explains Google. "Gmail supports multiple authentication systems, including SPF (Sender Policy Framework), DomainKeys, and DKIM (DomainKeys Identified Mail), so we can be more certain that your mail is from who it says it's from. Also, unlike many other providers that automatically let through all mail from certain senders, making it possible for their messages to bypass spam filters, Gmail puts all senders through the same rigorous checks...

For years I've written that the way to defeat spam was through differential filtering based on the managed reputation of the authenticated sending service. This little blurb is consistent with Google implementing that approach.

Today about 70% of Google's incoming mail is spam -- but that's an improvement! It used to be closer to 80%. Excluding a weird 2004 bump this is the most prolonged drop in three years.

My inbox is looking pretty good, and I hardly ever find anything in the spambox now (though I only scan about 20% of what I delete, I get a huge amount of spam).

Gee. I have something nice to say about Google!

AOL and Yahoo: email down the tubes

AOL has been on a long slow death spiral for about 10 years, but I didn't realize Yahoo was in dire straits until I read this announcement from my ISP:

VISI | Announcements | Difficulty sending mail to yahoo.com or aol.com?

Over the past weeks, it appears that Yahoo has begun grey-listing all (or most) incoming mail. This means that they are rejecting the first mail delivery attempts and telling sending servers to try again later. Yahoo also appears to be grey-listing with content filters. In this case, customers may see the error message: message text rejected by mx1.mail.yahoo.com: 451 This message indicates that suspicious content was detected, but that the sending server may try again.

For mail grey-listed automatically or by IP, users may see: : connect to x.mx.mail.yahoo.com[209.191.aaa.xxx]: server refused mail service You may also see error code 421 in the error response.

Generally, this email is also being retried, however, if retried too soon, it will be rejected again. It may even be rejected permanently by Yahoo with no change in error message that we have found. Yahoo's documentation claims that they are not grey-listing, but instead are filtering mail based upon the sending server's compliance with standard mail practices. Our servers, however, are compliant, but we are still seeing significant deferrals. Yahoo is also testing DomainKeys verification, which we are reviewing to potentially mitigate the problem. There appears to be no way to contact Yahoo about this except via web forms that do not generate any response except confirmation of receipt. We recommend that any users forwarding email to yahoo.com addresses cease forwarding or redirect to another location.

Of course, this affects not only customers forwarding mail to Yahoo, but ANYONE attempting to send mail to Yahoo addresses.

AOL AOL uses an automated system to block mail from potential spam sources. When mail is reported as spam by users, the IP addresses for servers used to transmit the mail are recorded, and, once their limit has been reached, IP addresses are blocked from sending mail to AOL for 24 to 48 hours. This can be exacerbated by VISI customers forwarding email to their own AOL accounts and then reporting any forwarded spam, which can result in temporary blocks of VISI mail server IP addresses. The automated system is COMPLETELY automatic, and no intervention is possible in expediting removal of IP addresses. Unfortunately, this will affect ANY customer attempting to send to AOL addresses, not just forwards to AOL accounts. As with Yahoo, above, we recommend that any users forwarding email to aol.com addresses cease forwarding or redirect to another location.

I ran into a variant of this problem with Gmail. I was redirecting an unfiltered email stream to Gmail, and when I read the mail in Gmail I "marked" the spam. Alas, Gmail looks at the redirect as the source of the email, so the more I marked as spam the lower the reputation of the redirector fell. Over time Gmail marked more and more valid emails as spam, and missed more and more spam. I fixed it by filtering the mail stream, and never marking anything that was redirected as spam (I just delete it).

The Yahoo and AOL bizarre responses to the spam deluge tells us how dire their financial situations are, but I must also say that Visi should have figured out DomainKeys a year ago. Maybe Yahoo is doing this in part to force adoption of DomainKeys; too bad their execution is incompetent.

In the meantime, encourage anyone you know who's still using Yahoo or AOL to get out fast and switch to Gmail.

Update 12/21/06: There's a good defensive strategy for those of us still using SMTP services (non-webmail) btw. Get a Gmail account and configure your dedicated email client to use Gmail's smtp service. If Google is your sending service, I suspect Yahoo and AOL won't be blacklisting the sending domain.

Gmail - has a handle on spam

Gmail - Inbox

Very little spam gets through the gmail spam filters now. The number in my Spam box is falling. I decided not to empty that box, because:

1. Google doesn't provide an easy way to empty it.
2. I've hunch they weight their spam filters based on what's left in the Spam box. It's what I'd do.

So they've got a handle on the problem now. Yay for them!

Update: The spam folder has dropped from about 1500 entries to about 200. Gmail's antispam technology has really kicked in. I get almost no spam.

Be evil: Gmail, spam, data lock and a digital identity bill of rights

My Gmail acount is dying of dysfunctional spam filtering. Too bad. Well, I can just delete it and start over. After all, I've always been careful to keep a local repository of all my email -- I don't have to try to download via POP tens of thousands of messages. I don't even need my Gmail address, I only ever give out personal email addresses that redirect to Gmail. I've been so careful to maintain a layer of indirection ... or have I?

Ahh. Not so fast. Google checkout (purchase records), Picasa Web Albums (just paid $30 for the 9GB storage), Google Earth (I have the upgrade account, also $30 or so), my search history, my Google spreadsheets, my Google Apps -- there's are now 15 services inextricably linked to my Google digital identity -- and Gmail is the core of that identity. Soon my blogs, including this one, will move to that identity. Some of this data can be extracted, much cannot.

So can I keep the Gmail account in a sort of moribund state, setting spam filtering to an extreme level? No, Gmail doesn't allow one to control spam filtering. Yahoo email does, Gmail does not. You get the default.

It's a nasty situation. I'm wed to Google, but my bride is demonstrating sociopathic tendencies. Divorce is very expensive. Such are the perils of "data lock", but ownership of digital identity is worse than conventional "data lock" -- it starts to smell a bit like indentured servitude.

We need a digital identity bill of rights. I'll write more on this, but here are two a list off the top of my head:

1. Digital identity must be portable using a well defined public standard.
2. Digital identity must be independent of services. In other words -- there's a layer of indirection between my digital identity and my email account, my credit card account, my eCash account ...
   

Only two requirements, but it's a start. It means that neither Google nor Microsoft nor my credit card company nor my checking account can own my digital identity. They may host my digital identity, but I need to be able to migrate it, with appropriate authentication, to another host without breaking the associated services.

Google, unwittingly or with full knowledge, is now Evil. How can Google become less evil? They could adopt the Digital Identity Bill of Rights. The first step would be to separate a user's Gmail address from Google's digital identity, the next step would be to adopt and define an open standard so that Google customers could opt to migrate to another Digital Identity host.

If Amazon, Yahoo, or even Microsoft were to adopt this Bill of Rights, they'd get my business. I think Amazon would be my first choice.

Update 9/22/06: But then things began looking better ...

It's not over. The rise of second generation spam.

First generation spam was pretty bad, but it's more or less under control now. Between sharpening spam recognition algorithms, crowd sourcing, and managing the reputation of authenticated sending services Google has beaten back the tide.

So that's it for spam?

Heh. Of course not. Now we have second generation spam.

Second generation spam does not use forged headers -- though the headers do seem to change a fair bit. This spam is not anonymous, it markets real goods, services - and politicians.

The goods and services aren't too hard to manage. I created a filter that sends anything from "buy.com" to the trash -- that took care of 80% of it.

The politicians are much worse. I get daily spam from fund raising politicos, PACs and other accessories to the political process. I now have about 25 Gmail filters that do nothing but delete all incoming email from their domains. The domains typically last a few months, and then there's a new crop. At this rate I'll have 200+ Gmail filters that delete email from largely defunct domains.

What? Ask to be removed from the lists? Clearly you're just toying with me. I tried that of course, but it doesn't work. I just get added back in they next time some politico buys a list. (Maybe I should start forwarding to spam@uce.gov as well?)

It's hard for any ISP to block this kind of spam. Politicians generally exempt themselves from laws that slow fundraising; if Google blocked their spam they'd be asking for a world of hurt. Better to get between a Grizzly and her cub than between a politician and your wallet.

We need a different approach to political spam. Sorry, I have to vote for some these dorks -- better spam than Palin and her ilk! So changing my vote's not enough. Any ideas?

I do have one quick fix. Google could add a "blacklist all from this domain" to the message action select menu. Choose it and the message is deleted and the blacklist entry created in a one move.

Another related fix -- allow Gmail users to share their blacklists. So Google wouldn't get in trouble, because we'd be choosing what block.

Any other ideas?

GMail and spam filtering: Google's engineers are not perfect after all

Google Accounts

I love GMail -- except for the spam filtering. It's broken in an impressive way. Google's spam filters miss a lot of spam (so it shows up in my inbox) and they label a lot of my email as spam when it isn't (possibly a problem with how they handle redirects). Of course since GMail is a free/beta product there's no-one to complain to -- or even give feedback to. Actually, there is a feedback form. Update: it's a Potemkin feedback form. Use it and you get a form letter email that says to resubmit feedback after reading the form letter -- but the form letter doesn't include what was written using Google's web page. This manages to be worse than nothing!

My regular ISP, using standard open source spam management solutions, does a far better job.

Google arrogance perhaps? definitely.

Update: When you mark a message as 'not spam', GMail is supposed to add the sender to one's contact list. Contacts are supposed to be 'white listed'. This is broken, GMail is not always adding the sender correctly. I'm adding the sender for miscategorized email manually to my contacts list.

Gmail is getting better: new features

I've been very impressed and pleased with Gmail -- despite the significant privacy issues. It's true that my maximum mailbox is no longer growing (it stopped growing at about 2.6GB, so now I've used 17% -- if it were to stay at 2.7GB I'd run out in a few years), but Google is adding a lot of interesting new features. The new RSS/mail integration model is very interesting, especially given Google's disappointing standalone RSS client. Here's the current list. Note the use of Google Tooblar to integrate the desktop with the Gmail application suite (edits, emphases, comments mine):

About Gmail

• View your favorite RSS feeds right in Gmail as “Clips” along the top of your Gmail screen. Display clips from blogs, news sites and other online sources. Pick from the latest headlines, random popular feeds, or add any RSS/Atom feed you want. [Example, RSS feed that monitors email activity in a separate Yahoo "spam" account ....]
  
• When you get Microsoft Office, OpenOffice or .pdf attachments, you can view them as a web page in HTML by clicking the "View as HTML" link right next to it.
• Gmail automatically detects addresses and tracking numbers, and displays useful information for them alongside your messages.
• Virus scanning... [of course I'd imagined they always did this. Shame on me.]
• Export your Gmail Contacts and save them in a file for back-up or to use in another account or service ... [noble]
• Saves to ‘Drafts’ as you’re composing. Never lose a half-written email again. (huge)
  
• Google Toolbar ... Search your mail or instantly go to your Inbox from any web page with just one click.
• Google Desktop lets you search your computer for files, music, photos, chats, web pages you've seen, and now, your Gmail messages too. Even if you’re offline. [jf: so read access to Gmail repository when offline -- that's big. Too bad Yahoo Desktop Search is so superior to GDS.]
  
• Gmail contacts are pre-loaded in Google Talk.
• Customize the address on your outgoing messages to display another one of your addresses instead.
• Gmail Notifier for Mac OS X even supports plug-in development.
• Gmail now gives you over 2.5 gigabytes of free space (and growing every day)! [but mine has stopped growing]
• Rich text formatting
• Send up to 10MB of photos, works with Picasa
  
• Gmail now works with Picasa, Google's free
  
• Basic HTML view lets you access your Gmail messages from almost any computer running almost any web browser. Learn more
• Free POP access and automatic forwarding
• Move all your contacts from Yahoo! Mail, Outlook, and others to Gmail in just a few clicks.

All the vulnerable people: eFraud, aging and special needs

Eight years ago I wrote a web page on Fighting Spam. That was a year after I'd first suggested to an ISP (Mindspring then) that they provide spam filtering services.

Alas, the spam deluge continues. My Gmail spam filter was stable at 5500 spams/month for about a year, but now it's up to 6500 spams/month. The zombie bots are getting worse.

Spam is bad, and it's sad that we still haven't adopted relatively inexpensive fixes like reputation management of authenticated sending services. I've come to realize, however, that the problems of spam are only the leading edge, the snout in the door, of something much worse. The most dangerous spam is increasingly about fraudulent schemes; desperate corporations like Vonage, Cingular, Yahoo and Delta are only marginal contributors. The spam is spawning phishing, splogs, and VOIP supported phone fraud, combining age old scams like the Publisher's Clearinghouse parasite, state lotteries, or "low interest credit card" scams with new technologies.

These fraud strategies are merging, morphing, and evolving with extraordinary speed, fueled by the worldnet. Charles Stross writes about sentient financial instruments, but one could as easily see how fraud strategies might be an even better candidate for emergent sentience [1]. Even as this happens, the prey population is growing with the aging of the wealthy western nations and the predator population is growing as the young and the desperate come online.

It takes a fair bit of intelligence, discipline and experience to see through these schemes and to to monitor one's human frailties. My handful of readers are likely immune. Not so our aging parents, not so the 50% of our population with IQs under 100. One day, all too soon, my IQ too will drop below some magic threshhold and I will join the population of the vulnerable. Most of us will, unless we die first. An increasingly complex world will offer endless opportunities for highly refined schemes to separate the vulnerable from their assets.

We're going to have to evolve new systems of defense, trust relationships, identity management and reputation management. Developing these systems will be a major social challenge over the next few decades. In the meantime, encourage your parents, and your vulnerable family members, to consult about their financial decisions.

[1] One of the leading theories for a driving force behind the evolution of the human mind is fraud detection and fraud invention.

Update 2/1/2010: See also - Phishing with the post-Turing avatar

Google's feet of clay: Gmail and spam

Google's share price had a minor hit the other day when they "disappointed" on earnings. I can't make sense of their valuation, even though I do think they're a great company.

I can, however, point out that one of their flagship products, Gmail, has serious issues. For historical reasons I get to see how five different spam filtering systems work: Yahoo, Earthlink, Spamcop, the open source systems used by many smaller ISPs, and Gmail's system.

Gmail is not just slightly inferior. It is qualitatively inferior. It is so bad it's mindboggling. The other four all work quite well, making relatively few false positive or false negative errors. Gmail errs in both directions, misclassifying spam as mail and mail as spam.

This isn't new. They've had the same problem for over a year. The only reason I stick with them is their fantastic UI and amazing search capabilities, but if Yahoo ever updates me to their new UI I may switch (I can redirect my mail flows fairly easily since I control the routing domains).

Why doesn't Google invest in the open source systems that work for everyone else? The scale they work on is rather different from that of a small ISP, so they may face impossible scalability challenges. I wonder though, if arrogance plays a role -- the belief that their algorithms will devise a better solution. If it's really arrogance, then their share price may fall more than 10% over the next year.

How I use Gmail and why it really is so great

Gmail - Inbox

Gmail is getting ready to go public. I have about 50 "invitations" to handout. Good time to mention how my use has evolved.

1. My desktop email has become a repository and backup store. I do most of my work in Gmail. Messages go out with a return address to my public (spamcop) account but my Gmail account is well known to spammers so this is not critical.

2. I don't use the "labels" much. I thought I'd use 'em more. I'm very post-hierarchy these days. (Labels are an attribute that can be used to emulate a non-hierarchical folder with multiple inheritance.)

3. I "fork" my mailstream. (Relatively few people can do this, I control my mail domain.) Mail to my primary address is replicated to my POP box and to Gmail. So there are two copies everywhere. Works very well with two downsides:
- I have to remember to cc myself if want my replies or messages to be in both repositories. (I wish auto-cc was a Gmail feature, it's not.)
- I have to deal with spam twice, fortunately the filtering I use works pretty well. Gmail keeps a steady level of about 6000 spams in my spam box -- about 30 days worth.

4. Gmail is also a repository for files of less than 10MB that I want to quickly backup or pass around.

5. I use the "star" feature quite a bit.

6. My Inbox is emptied on reading. If I want to come back to a message I "star" it.

Things I really like about Gmail:

1. speed, speed, speed.
2. did i mention search speed?
3. no filing
4. keyboard shortcuts (see speed)
5. smart address book and adress completion
6. elegance
7. reliability
8. useful and interesting ad links

Things I want:

1. auto-bcc feature so I can copy replies to my personal repository
2. IMAP support (I'd pay)
3. more capacity -- 1GB will last me about another 2 years. (I'd pay)

Left head bites right head -- Gmail filters blogger comments to spam box

Gmail is mostly impressive -- except for the spam filtering. Creakly old Yahoo mail, or even my local ISP, does a much better job at separating the wheat from the chaff.

Gmail errs in both directions. It puts spam in my inbox, and not-spam in my spambox. It invariably filters comment submissions from blogger into the spambox -- even though both Blogger and Gmail are Google properties. Google's a multi-headed monster, and the heads aren't necessarily on good terms.

Problems in Google-land: Gmail, Blogger and do you really trust Web 2.0?

Last week a bad update broke Google's BlogThis! tool. It took them a week to fix it, and there was never any official notification of the problem, though Google's support people did post in response to numerous help group complaints.

This week Gmail's spam filter is malfunctioning. The "whitelist" functionality is broken and it's miscategorizing email. I tried to post about this on the Gmail Group but the "problem" group is down (really, I'm not joking, they're out of order). Users who get large volumes of spam will inevitably lose email in the mess.

Google has not provided any notification on any blog, or on their help page, of the Gmail malfunction. (They did provide notification us that the Gmail Help Group is down, but that's rather obvious.)

It's the failure to notify, more than the bugs, that really concerns me. Google is not treating their customers respectfully.

The foundation of "Web 2.0" apps (what we once called "application service provider") is trust in the service provider. The "web 2.0" model doesn't need to be perfect -- all software has bugs and local hard drives fail, so traditional "owned" software models have their own problems. The "web 2.0" model does, however, require trust, and trust requires respect.

If Google can't respect their customers, who can? What does this say about all the other web 2.0 services that we increasingly rely upon?

The unreliability of email - Apple MobileMe and Spamcop.net

Apple's been secretly blocking MobileMe email sent to spamcop.net.

So that desperate email for help your daughter sent you? She doesn't know you didn't get it.

Since Spamcop is a prime generator of anti-spam blacklists, Apple may be doing this for fear a MobileMe account bot will put me.com on a blacklist. If the covert block is policy rather than a bug, it's one more reason to despise Apple and pray for the success of the gPhone.

Other than the reinforcing the folly of trusting Apple, this (again) teaches us that email is an unreliable message stream. Adding silent outgoing mail blocks to false positive spam blocks is a straw tossed atop an already broken camel. Snail mail is significantly more reliable.

For my part, I've had a spamcop.net address for at least six years, but even before this happened I'd decided I needed to deprecate it. In a year or two I'll discontinue the account.

I'm deprecating my spamcop email in an effort to decrease the complexity, and thus increase the reliability of my email stream. The details are too tedious to describe here, but briefly I've decided I need a multi-mode signed sending address from a 900 pound gorilla domain (gmail.com basically), a single personal blacklist to maintain, a strong identity tie to email, and to eliminate redirects of incoming email. It helps that after a very long, hard, development path, Gmail's spam filtering is now very good.

Death of email part XI: forwarded emails with big red phishing warnings

I own a few domains, including a Google Apps domain we use for our family [1]. My immediate family members, excluding Kateva (canid), have calendars and emails in the family domain. Overall, it works pretty well. It pounds Apple's warped MobileMe into the sand. Savagely.

For reasons that aren't worth trying to describe, I've used an email redirector for some of these accounts. This is forwarding at the domain level, not forwarding from an email account.

This used to work pretty well, but when I tested it on a new account two problems appeared:

1. It was filtered to Google spam.
2. A BIG RED PHISHING warning appeared when I opened the email.
   

I was able to correct this by marking it as 'not spam' and 'not phishing' (the UI for the latter is a bit non-obvious, I had to follow the help link in the phishing notice).

This is a great example of the tech churn meme I wrote of yesterday. Email is in a troubled state as it painfully moves from the old world of the naive net to the new world of authenticated messaging [2].

This redirect mechanism is clearly not going to work, perhaps because the redirecting domain has been used by spammers in forged email headers [3].

Ouch. This is definitely a problem. I have some workaround ideas, but this will be a bugger to test since Google doesn't talk much about what it's doing.

--

[1] Free edition. If google drops the price on their small business product I'd upgrade to get some customer support options.
[2] One reason people like facebook messaging is that it's deeply authenticated.
[3] The curse of old, private, domains. Mine is very old. There's no defense against such forgery. See also two 2006 posts about a related problem (this isn't new)

• Gmail spam filtering threatens services
• Spam - blacklists are back

Contextual Google Ad above my Gmail spam list

French Fry Spam Casserole - Bake 30-40 minutes.

Cute. Google has finally added a 'delete all spam' link. It took out 6500 items at once -- 30 days of spam.

Gmail's flaw: crummy spam filtering

Gmail is very impressive, save for one rather serious flaw.

Their spam filtering is really, truly, awful. This is quite surprising -- most of us thought Google would do a great job of spam filtering. Astoundingly, they're far worse than Yahoo, Spamcop, or my personal ISP (visi.com). Recently my inbox has had 25 spams a day -- compared to 3-4 spams in the same mail stream (my messages bifurcate) managed by visi.com. Nor is VISI producting too many false positives; they do pretty well.

Until GMail gets its spam filtering under control I can't recommend them to anyone.

The evolution of spam: Nordstrom and mandatory spam acceptance

We've come a long way baby.

A year ago Nordstrom's began offering optional email receipts as "a convenient, environmentally friendly alternative to paper receipts."

Of course there are alway a few skeptics who doubted Nordstrom's integrity, but USA Today was reassuring

Retailers ditch paper and pen, use email for receipts - USATODAY.com

... no retailer serious about building a relationship with its customers would consider taking advantage of email access, said John Talbott, assistant director of Indiana University's Center for Education and Research in Retailing.

That's because for the retailer, the most significant benefit is being able to offer a service customers appreciate, he said. It isn't about cutting costs, he said, as less than 1% of a retailer's total revenue goes toward paper and ink for receipts.

Instead, the driving force is providing an option that makes the store a more appealing place to shop...

Yesterday Emily bought a shirt at Nordstrom's. The email receipt, she was told, was mandatory. No, of course there'd be no spam. She doesn't have a spam account, so she gave them her gmail account.

She got her first Nordstrom spam a few hours later. I'll show her how to use filters later today.

Not to worry though, paper receipts are not long for this world. Soon we'll be buying things with our phones. No spam there, since of course there's no tie between our phone's unique identifier and our email and phone number.

Friendly fire - how Dem spam killed my donations

I'm a good commie. Each cycle we  give some money to help Dems.

Not this election though. Partly, that's because my team's spam has gone astronomical. The spam flow is legal though, because "political speech" isn't covered by the CAN-SPAM act of 2003.

Campaign spam comes with 'unsubscribe' links, but they don't seem to be connected to anything. Even if they were, however, I'd probably be re-enrolled with the next list update. I doubt the campaigns spend much on mailing list hygiene.

At least the email headers aren't faked, so I have about thirty Gmail filters that send all email from all identified campaign-related domains to the trash. I'm probably not the only one doing this though, because lately the domain names are proliferating. The speech spammers are trying to get around my filters.

This is a job for the DFL. Yes, it's a bit of a reach for them -- but we're talking money. Money talk gets politician's attention. Here's what the DFL can do:

1. Get serious about a state wide unsubscribe service. Tell campaigns that if they don't follow the rules, they don't get funding or DFL support.
2. Forget about reaching me by email. There's nothing a politician can put in a mass email that will interest me (the vast majority of political speech is aimed at the undecideds). Instead set up narrowcast feeds aimed at literate geeks whose vote is not in doubt.
3. Enjoy the money Emily and I will send after the spam stops.

Spam with real addresses: another revolting development

Blacklists usually have limited value because spammers use bots, fake domains, etc. Lately, however, much of my spam has been coming from real companies and organizations with persistent email addresses. The good news is this spam is trivially easy to blacklist.



On the one tentatcle the legitimization of spam feels like another bit of bad news for our ailing email, but on the other tentacle ever since I figured out how I was making Gmail hate me I've been pleased with its spam filtering. Email is still alive, for now ...