A Disturbing Trend

Over the last year or so we’ve been hearing some concerns about some of the blacklisting policies and decisions at Trend Micro / MAPS.
One common thread is that the ESP customers being listed aren’t the sort of sender who you’d expect to be a significant source of abuse. Real companies, gathering addresses from signup forms on their website. Not spammers who buy lists, or who harvest addresses, or who are generating high levels of complaints – rather legitimate senders who are, at worst, being a bit sloppy with their data management. When Trend blacklist an IP address due to a spamtrap hit from one of these customers the actions they are demanding before delisting seem out of proportion to the actual level of abuse seen – often requiring that the ESP terminate the customer or have the customer reconfirm the entire list.
“Reconfirming” means sending an opt-in challenge to every existing subscriber, and dropping any subscriber who doesn’t click on the confirmation link. It’s a very blunt tool. It will annoy the existing recipients and will usually lead to a lot of otherwise happy, engaged subscribers being removed from the mailing list. While reconfirmation can be a useful tool in cleaning up senders who have serious data integrity problems, it’s an overreaction in the case of a sender who doesn’t have any serious problems. “Proportionate punishment” issues aside, it often won’t do anything to improve the state of the email ecosystem. Rather than staying with their current ESP and doing some data hygiene work to fix their real problems, if any, they’re more likely to just move elsewhere. The ESP loses a customer, the sender keeps sending the same email.
If this were all that was going on, it would just mean that the MAPS blacklists are likely to block mail from senders who are sending mostly wanted email.
It’s worse than that, though.
The other thread is that we’re being told that Trend/MAPS are blocking IP addresses that only send confirmed, closed-loop opt-in email, due to spamtrap hits – and they’re not doing so accidentally, as they’re not removing those listings when told that those addresses only emit COI email. That’s something it’s hard to believe a serious blacklist would do, so we decided to dig down and look at what’s going on.
Trend/MAPS have registered upwards of 5,000 domains for use as spamtraps. Some of them are the sort of “fake” domain that people enter into a web form when they want a fake email address (“fakeaddressforyourlist.com”, “nonofyourbussiness.com”, “noneatall.com”). Some of them are the sort of domains that people will accidentally typo when entering an email address (“netvigattor.com”, “lettterbox.com”, “ahoo.es”). Some of them look like they were created automatically by flaky software or were taken from people obfuscating their email addresses to avoid spam (“notmenetvigator.com”, “nofuckinspamhotmail.com”, “nospamsprintnet.com”). And some are real domains that were used for real websites and email in the past, then acquired by Trend/MAPS (“networkembroidery.com”, “omeganetworking.com”, “sheratonforms.com”). And some are just inscrutable (“5b727e6575b89c827e8c9756076e9163.com” – it’s probably an MD5 hash of something, and is exactly the sort of domain you’d use when you wanted to be able to prove ownership after the fact, by knowing what it’s an MD5 hash of).
Some of these are good traps for detecting mail sent to old lists, but many of them (typos, fake addresses) are good traps for detecting mail sent to email addresses entered into web forms – in other words, for the sort of mail typically sent by opt-in mailers.
How are they listing sources of pure COI email, though? That’s simple – Trend/MAPS are taking email sent to the trap domains they own, then they’re clicking on the confirmation links in the email.
Yes. Really.
So if someone typos their email address in your signup form (“steve@netvigattor.com” instead of “steve@netvigator.com”) you’ll send a confirmation email to that address. Trend/MAPS will get that misdirected email, and may click on the confirmation link, and then you’ll “know” that it’s a legitimate, confirmed signup – because Trend/MAPS did confirm they wanted the email. Then at some later date, you’ll end up being blacklisted for sending that 100% COI email to a “MAPS spamtrap”. Then Trend/MAPS require you to reconfirm your entire list to get removed from their blacklist – despite the fact that it’s already COI email, and risking that Trend/MAPS may click on the confirmation links in that reconfirmation run, and blacklist you again based on the same “spamtrap hit” in the future.

We have been in a pretty lengthy back and forth with maps. Its just a disaster all around. We cleaned up around 200+ accounts, but they are still seeing trap hits. I finally got fed up and we just asked them outright “we cleaned up 200+ customers lists, and are still hitting traps? any chance you guys are clicking links?”. At this point they have a substantial amount of our IP space listed and are just making this painful. They haven’t had time to respond to our question, but at this point maps seems to be the new SORBS.An ESP’s take on the issue

We (Word to the Wise) aren’t an ESP – if we were then the risk of damage to our business due to publicly criticizing a blacklist would mean we wouldn’t be able to do it – so we don’t have first-hand experience of this behaviour. We have been told by six ESPs and an infrastructure company that Trend/MAPS has ongoing issues with inaccurate listings. Four of them have said that Trend/MAPS is clicking on links in email they’re sending, in some cases confirmation links. We’ve been provided data, including web access logs showing clicks on confirmation links in email sent to “trap” domains registered by Trend from anonymous Taiwanese consumer IP addresses. Many of the “trap” domains are registered by a Director of “Core Tech” at Trend Micro, at a Taiwanese address.
These email addresses were confirmed over the past several years, and have been used to justify aggressive blacklisting of ESPs since. MAPS representatives also confirmed to two ESP representatives that they did sometimes click on links in email sent to their trap addresses during investigations – and that matches data provided to us by another ESP that suggests Trend/MAPS will sometimes go through and click on many of the links in a batch of emails, possibly including any confirmation or reconfirmation links in those emails.
So, it seems that the Trend/MAPS blacklists are being run in a way that will sometimes blacklist sources of 100% COI wanted email, as well as sources of likely wanted email that’s not entirely COI. Conversely, it’s pretty easy to identify or block the trap domains they’re using (a simple google search will find thousands of them, and null-routing the five or so MXes they use would block all email to them) so any moderately smart spammer could easily avoid being listed by them. That suggests the data quality is probably poor.
It’s even worse than that, though.
Trend/MAPS don’t only run their own spamtrap domains. They also are fed data by spamtraps run by consumer ISPs, including Comcast. There’s data from the ESPs we’ve been talking to that show that senders that have been blacklisted by Trend/MAPS for “spamtrap hits” are sending email to @comcast.net addresses that had previously been confirmed by the same anonymous Taiwanese consumer IP address as was found clicking on confirmation links. So it’s likely that Trend/MAPS habit of clicking confirmation links in mail sent to “spamtraps” is poisoning ISPs independent spamtrap data, as well as their own published blacklists.
ESP representatives have been asking Trend Micro about these issues for months. On Wednesday we invited a MAPS rep to comment on the issue as we were planning on writing about it, but didn’t hear anything back beyond a request for specific examples. We declined to provide that for several reasons – it’s not our data to share, doing so would reveal which ESPs provided it to us, and it’s all been provided to Trend/MAPS by the ESPs concerned so they already have the data and are aware of the issues.
Trend/MAPS are tainting the spamtraps they use, by setting them up such that they’re likely to catch sources of mostly wanted email, including sources of 100% COI email. If they were doing that as part of a survey or research project, that would be OK, though the data would likely not be of much value. Instead, though, they’re accusing the senders of this mail of spamming, listing them on their blacklist and making unreasonable demands of the senders before they’ll remove their listing. As MAPS are also selling this data to large US consumer ISPs who use it to block email, the senders don’t have much choice but to comply with those unreasonable demands. (Update 8/9/11: A sender who was listed by MAPS in the last few days is seeing inbox delivery at the major US ISPs we believed were Trend/MAPS customers. It appears that our data on MAPS usage is out of date.) I also wonder how accurate Trend/MAPS are in how they represent their spam filtering services and blacklist data to those ISPs who use them – I doubt those ISPs are intending to buy a blacklist service that blocks wanted, COI email.

Related Posts

I'm on a blocklist! HELP!

Recently, an abuse desk rep asked what to do when customers were complaining about being assigned an IP address located on a blocklist. Because not every blocklist actually affects mail delivery it’s helpful to identify if the listing is causing a problem before diving in and trying to resolve the issue.

Read More

Content based filters

Content based filters are incredibly complex and entire books could be written about how they work and what they look at. Of course, by the time the book was written it would be entirely obsolete. Because of their complexity, though, I am always looking for new ways to explain them to folks.
Content based filters look at a whole range of things, from the actual text in the message, to the domains, to the IP addresses those domains and URLs point to. They look at the hidden structure of an email. They look at what’s in the body of the message and what’s in the headers. There isn’t a single bit of a message that content filters ignore.
Clients usually ask me what words they should change to avoid the filters. But this isn’t the right question to ask. Usually it’s not a word that causes the problem. Let me give you a few examples of what I mean.
James H. has an example over on the Cloudmark blog of how a single missing space in an email caused delivery problems for a large company. That missing space changed a domain name in the message sufficiently to be caught by a number of filters. This is one type of content filter, that focuses on what the message is advertising or who the beneficiary of the message is. Some of my better clients get caught by these types of filters occasionally. A website they’re linking to or a domain name they’re using in the text of the message has a bad reputation. The mail gets bulked or blocked because of that domain in the message.
One of my clients went from 100% inbox every day to random failures at different domains. Their overall inbox was still in the 96 – 98% range, but there was a definite change. The actual content of their mail hadn’t changed, but we kept looking for underlying causes. At one point we were on the phone and they mentioned their new content management system. Sure enough, the content management company had a poor reputation and the delivery problems started exactly when they started using the content management. The tricky part of this was that the actual domains and URLs in the messages never changed, they were still clickthrough.clientdomain.example.com. But those URLs now pointed to an IP address that a lot of spammers were abusing. So there were delivery problems. We made some changes to their setup and the delivery problems went away.
The third example is one from quite a long time ago, but illustrates a key point. A client was testing email sends through a new ESP. They were sending one-line mail through the ESPs platform to their own email account. Their corporate spamfilter was blocking the mail. After much investigation and a bit of string pulling, I finally got to talk to an engineer at the spamfiltering company. He told me that they were blocking the mail because it “looked like spam.” When pressed, he told me they blocked anything that had a single line of text and an unsubscribe link. Once the client added a second line of text, the filtering issue went away.
These are just some of the examples of how complex content based filters are. Content is almost a misnomer for them, as they look at so many other things including layout, URLs, domains and links.

Read More

Why do ISPs do that?

One of the most common things I hear is “but why does the ISP do it that way?” The generic answer for that question is: because it works for them and meets their needs. Anyone designing a mail system has to implement some sort of spam filtering and will have to accept the potential for lost mail. Even the those recipients who runs no software filtering may lose mail. Their spamfilter is the delete key and sometimes they’ll delete a real mail.
Every mailserver admin, whether managing a MTA for a corporation, an ISP or themselves inevitably looks at the question of false positives and false negatives. Some are more sensitive to false negatives and would rather block real mail than have to wade through a mailbox full of spam. Others are more sensitive to false positives and would rather deal with unfiltered spam than risk losing mail.
At the ISPs, many of these decisions aren’t made by one person, but the decisions are driven by the business philosophy, requirements and technology. The different consumer ISPs have different philosophies and these show in their spamfiltering.
Gmail, for instance, has a lot of faith in their ability to sort, classify and rank text. This is, after all, what Google does. Therefore, they accept most of the email delivered to Gmail users and then sort after the fact. This fits their technology, their available resources and their business philosophy. They leave as much filtering at the enduser level as they can.
Yahoo, on the other hand, chooses to filter mail at the MTA. While their spamfoldering algorithms are good, they don’t want to waste CPU and filtering effort on mail that they think may be spam. So, they choose to block heavily at the edge, going so far as to rate limit senders that they don’t know about the mail. Endusers are protected from malicious mail and senders have the ability to retry mail until it is accepted.
The same types of entries could be written about Hotmail or AOL. They could even be written about the various spam filter vendors and blocklists. Every company has their own way of doing things and their way reflects their underlying business philosophy.

Read More