Domains
Don’t add your domain to the Public Suffix List
(At least, not if you ever intend to use it for email. It might break the domain for email, maybe forever.)
Read MoreIdentifying domains that don’t accept or send email
A couple folks have asked me recently about MX records that they don’t understand. These records consist of a single . or they contain localhost or they are 127.0.0.1.
Read MoreWhat … is your name?
For some reason otherwise legitimate ESPs have over the years picked up a habit of obfuscating who they are.
I don’t mean those cases where they use a customers subdomain for their infrastructure or bounce address. If the customer is Harper Collins then mail “from” @bounce.e.harpercollins.com sent from a server claiming to be mail3871.e.harpercollins.com isn’t unreasonable. (Though something in the headers that identified the ESP would be nice).
No, I mean random garbage domains created by an ESP to avoid using their real domains in the mail they send and in their network infrastructure. This isn’t exactly snowshoe behaviour. They’re not really hiding anything terribly effectively from someone determined to identify them – the domains are registered with real contact information, and the IP addresses the mail is sent from are mostly SWIPped accurately – but they do prevent a casual observer from identifying the sender.
Silverpop has registered over 9,000 domains in .com that are just “mkt” followed by some random digits that they use for infrastructure hostnames, bounce addresses and click-tracking links. Apart from anything else, it’s a terrible waste of domain name space to use links.mkt1572.com where they could just as well use links1572.silverpop.com or links.mkt1572.silverpop.com.
For what they’re paying just for domain name registration and management they could probably hire multiple full time employees.
And Marketo has registered over 17,000 domains in .com that are just “mkto-” followed by what looks like a location code.
(I’m not picking on Marketo and Silverpop in particular – several other notable ESPs do the exact same thing – they’re just relevant to the end of the story).
Using garbage domains like this makes you look more like a snowshoe spammer at first glance than a legitimate ESP.
It also makes it much harder for a human glancing at your headers to correctly identify a responsible party …
… which is probably why abuse@marketo are rather tired of receiving misdirected complaints about spam sent by Silverpop from machines called something like mkt1572.com.
Domain management
Yesterday one of the bigger ESPs had their domain registration lapse. This caused a whole host of problems for their customers. It was resolved when someone completely unrelated to the company paid the registration fee.
It happens. Most of us know about cases where email or domains were lost due to renewal failures. The canonical case is one person at the company handles renewals, and leaves or is off when renewal comes up. The payment is missed, the domain goes back to the registrar and everything falls apart.
This happens at big companies and it happens at small companies. This is the kind of public facing problem that should make all of us look at how our own domains are managed. A few questions to ask.
thirty.years.com
Thirty years ago this Sunday, symbolics.com was registered – the first .com domain. It was followed, within a few months, by bbn.com, think.com, mcc.com and dec.com.
Symbolics made lisp machines – symbolics.com is now owned by a domain speculator.
BBN is a technology R&D company who’ve worked on everything. If I had to pick one thing they were involved with it’d be the Internet Message Processor – the router used on the very first Internet nodes. They are still around, as a division of Raytheon.
Think.com made some amazing massively parallel computers. Their hardware group was bought out by Sun, who were bought out by Oracle and think.com now redirects to a broken error page at oracle.com.
Mcc.com were the first – and for a while, the largest – computing research and development consortium in the US. They did groundbreaking work on everything from silicon to AI. Their domain is now a generic parked page owned by a domain speculator.
Dec.com were Digital Equipment Corporation – creators of the PDP, VAX, Alpha and StrongARM processors, amongst many other things. They were a huge company when I worked for them designing Alpha CPUs in the mid 90s, then they were acquired by Compaq, then HP, then split up. Their domain is now a personal website.
It took nearly three years to reach 100 registered .com domains and nearly 10 years to reach 9,000.
As of this morning there are 116,621,517 domains registered in .com, from (64 zeros).com to (64 letter z).com, out of a possible total of more than two googol – so there’s still a domain there for you.
221,848 of those domains in .com mention “mail”.
Domains need to be warmed, too
One thing that came out of the ISP session at M3AAWG is that domains need to be warmed up, too. I can’t remember exactly which ISP rep said it, but there was general nodding across the panel when this was said.
This isn’t just the domain in the reverse DNS of the sending IP, but also domains used in the Return Path (Envelope From) and visible from.
From the ISP’s perspective, this makes tons of sense. Some of the most prolific snowshoe spammers use new domains and new IPs for every send. They’re not trying to establish a reputation, rather they’re trying to avoid one. ISPs respond by distrusting any mail from a new IP with a new domain.
Yahoo now auctioning domain names
This summer Yahoo shook up the email ecosystem by publicly announcing they were recycling usernames. The shakeup wasn’t so much that they were recycling usernames, but that they did it in a way that compromised user information and account security. Any user that had an account tied to a recycled Yahoo account is at risk for having their PII leaked. Folks are still dealing with the fallout, both Yahoo and the companies who are trying to meet customer needs by sending emails and protect customer emails by not sending emails.
On top of that, Yahoo announced they’re selling off a number of domains that they’ve accumulated over the years. Some of these are pretty high value domains like webserver.com, sandwich.com and other real words.
I don’t think Yahoo used any of these domains for email, and even if they did any addresses should have bounced off years ago. Still, it does bring up some broader policy issues.
Many, many things online, from bank accounts to social media accounts to blog commenting systems treat email addresses as a unique identifier for that account. Many of these databases were developed with the underlying assumption that people wouldn’t change their email addresses and that it was a static value. This wasn’t a true assumption 10 years ago and it’s certainly not true now. This mistaken assumption is a problem, and one that more and more companies are going to have to address moving forward. This isn’t about email and it isn’t about delivery, it’s about simple data accuracy and hygiene.
Companies must start thinking and addressing email address impermanence. These issues are not going away.
Proxy registrations and commercial email
Yesterday the law firm Venable, LLP published a document discussing the recent California appellate court decision in Balsam v. Trancos. Their take is that commercial email that contains a generic from line and is sent from a proxied domain is a violation of the California Business and Professions Code § 17529.5(a)(2).
Read MoreCA court requires sender identification on emails
Venkat analyzes the appeals court decision in Balsam v. Trancos, Inc.. In this case the appeals court decided that emails have to identify some actual person or entity they are sent by or from. Emails that do not identify the sender are in violation of the California anti-spam statute.
Venkat talks about all the reasons he thinks this is a problematic ruling, and the CA courts and anti-spam activists certainly have their share of bad rulings. I’m less convinced. The crux of the case seems to be that the advertiser used a number of random domains to hide the responsible party for an email. Rotating domains is a very, very common spammer tactic that is specifically a way to avoid domain based filters.
I understand Venkat’s concern but as someone who gets a lot of these spams I think the court is certainly ruling within the spirit of the CA statute. These mailers are using random domains to avoid filters and mislead recipients as to the source of the mail. Even if the domains are legitimately owned by the advertiser, they are usually hidden behind privacy protection and give the recipient no real information about who is sending the mail.
Another interesting point is the court speaking out against privacy registration. Personally, I don’t think any business should ever hide their domain registration behind privacy protection. If you’re a business, then you should stand up and give real contact information. I know it can be scary, particularly for people working out of their home, but if you’re a real business, you need to have an address registered with your state. Furthermore, if you’re a business sending email, all that email must contain a physical postal address. Your address already needs to be public, and including that in whois records isn’t actually going to change anything.
News and announcements: March 1, 2010
Some news stories and links today.
Spamhaus has announced their new domain block list (DBL). The DBL is a list of domains that have been found in spam.
FBI indicts 19 for internet related fraud
A federal grand jury in Dallas returned an indictment this week charging 19 individuals with conspiracy to commit wire and mail fraud. 15 of the defendants are charged with email fraud. All in all, these defendants are accused of defrauding various companies, from telcos to web developers, of $15,000,000.
Read MoreTWSD: Privacy protection for commercial domains
One of my major pet peeves is supposedly legitimate companies hiding behind privacy protection in their whois records. There is absolutely no reason for a legitimate company to do this. There are lots of reasons a non-legitimate company might want to hide behind privacy services, but I have never heard a good reason for legitimate companies to hide.
Look, a company sending any commercial email is required by law to provide a physical postal address in every email they send. What point is there, then, to hiding addresses in whois records? The only thing it does is make a sender look like a spammer. If a sender is a business, then they need to have a real business address anyway, and that address should be available in their domain registration.
It may seem like a trivial point, it may seem minor, but spammers use domain privacy services to hide the various tendrils of their businesses. They don’t want anyone to be able to tell that domain A is related to domain B is related to domain C. Proxy services let them trivially hide their identities. This is the major business use of privacy protection. Real companies don’t need to hide behind privacy services.
Using domain privacy services make senders look like spammers. One trivial thing that ISPs can do is stop providing FBLs or whitelistings to domains behind privacy services. This will weed out spammers without doing harm to real senders. Certification services can refuse to certify companies that hide their identity. My small contribution to the cause is to refuse to represent any company to an ISP if their domain is behind a privacy service.
Just to be clear, I have no problem with personal, non-business domains using privacy services. There are valid reasons individuals may want to hide their physical location. But businesses? Step up and quit hiding.
On the subject of privacy services, Mickey recently reviewed a court ruling that commented on the legality of using privacy services. The court says:
Lycos Europe shuts down
Multiple bloggers have commented on Lycos Europe shutting down. Some of them have linked to domains involved. One person, who wishes to remain anonymous, has sent me a list of domains which have a MX pointing at Lycos Europe. If you see a failure to resolve or connect to any of these domains in the coming weeks, you should remove all the email addresses at that domain from your lists. The list is about 500 domains, so they’re behind a cut.