OK, so this one's not as egregious as the nitwits who put the OpenOffice.org email server on the SCBL because they were reporting newsletters they had subscribed to....but almost.

While digging through my Held mail folder (I'm a SC email customer), I stumbled upon an innocent newsletter from a Swedish software developer. It was regarding the free photo gallery software named "JAlbum" and I long ago gave them my email address when I registered my software. I checked why the false positive had happened and found that the sending IP [212.247.178.236] is on the SCBL, and when I looked at the "Report History" for that IP, all I saw were some copies of the same newsletter which I received, which are clearly careless, false reports, the same kind I identified involving the OpenOffice.org newsletters.

Here's a Tracking URL on my copy of the newsletter (note: the spam has been redacted for my privacy because this report was cancelled):

http://www.spamcop.net/sc?id=z1219243342z4...898d26819753adz

So, I'll contact the Deputies using the normal address to call their attention to the false reporting of this benign host. But there's a bit of a complication. When I looked up the reason for the listing of the Swedish IP on the SCBL, I saw this:


So, I did a little more research on the IP, because if it was actually "guilty" of sending to spam traps, you'd think that there's be some other "red flags" somewhere out there.

1. no hits on Google
2. no hits on Google Groups (where the abuse newsgroups are archived)
3. no other positives at the Robtex Multi-RBL check (http://www.robtex.com/rbls/212.247.178.236.html)
4. stats at SenderBase not alarming at all (http://www.senderbase.org/search?searchBy=ipaddress&searchString=212.247.178.236)

So, this adds to my existing suspicions that at least some of the addresses trusted by SC as "spam traps" were in previous use and were given out by their owners for things like software registrations. I've seen other obvious false attributions of spam trap hits before and this sure smells like one. JAlbum has been around for a long time and is used by millions of people. Also, they hardly ever send out any sort of "newsletters" or other communications, making them prime targets for this kind of false positive situation, in that SC reporters (and spam trap address owners) have forgotten that they once willingly supplied their addresses to this nice guy in Sweden, and this is his reward....being put on the SCBL!

I'll notify David Ekholm of this situation, but the harm has already been done, in that his attempt to contact his registered users has been disrupted by flaws in the SpamCop reporting/blocklisting system. You can challenge that if you'd like, but I was right about the OpenOffice situation and I'm convinced this is a similar situation.

DT

212.247.178.236 = shutter.jalbum.net was put on our list because it's sending this mail to our spamtraps.

Date: Thu, 8 Feb 2007
From: David Ekholm <david[at]jalbum.net>
Reply-To: david[at]jalbum.net
Subject: JAlbum Newsletter - February

A spamtrap is an unused address whose sole reason for existence is to see if people will send unsolicited mail to it. Spamtraps are basically the nonexistent addresses at small vanity domains owned by us or our associates. Mail to nonexistent addresses is proof-positive that email addresses are being added to a mailing list without the address owner's permission.

- Don D'Minion - SpamCop Admin -

...*and* because of the bogus reports by SC users...it says so right in the system, Don.


Didn't I already cover this issue? Here's what I just emailed back to Don, to David Ekholm, and to his IP host:


DT

It could also be that someone registered using a compromised spamtrap address with the malicious intent of getting him added to the SCBL. If he is not doing any kind of email confirmation, that is always a possibility. It might also be a sign that Don should check the traffic coming into that spamtrap and see if there are any other indications that the address might have been compromised somehow.

Or they are spamming
I agree, Don could check to see if it is multiple reporters and the spamtrap traffic.

It does raise a flag when there are spamtraps and manual reports

It *was* both factors, the Reporting System doesn't lie about things like that and you'll see an exact quote of what the Reporting System said about it approx. 8 hours ago. However, I now see that the IP is no longer listed, but since it came off the SCBL ahead of schedule, either someone used the self delisting option or a Deputy intervened. The SenderBase stats are off the charts now, because this server usually doesn't transmit much email and the JAlbum owner sent out his newsletter to a lot of addresses in the last 24 hours.


Did I mention manual reports? The report history could be all "quick" or other kinds of less-than-manual reporting. There's only been one more report show up since I first posted this topic.

DT

I said it wrong I did mean "Human" submissions.

If an IP is Joe jobbing the world as this one is it deserved to be blocked

A SpamCop spamtrap address is taken by using a webbot/spider program to scraping email addresses mainly off websites and newsgroups. These email addresses have around 16 random characters in address. This is better than bank security and odds are it cannot be "guessed"

Emailers are again and again and again and again and again and again and again and again and again and again etc told that Double opt-in needs to be compulsory for email lists (not rocket science)

Simple' a once only confirmation email is sent to email addressee, ideally with a url link with log-on details to accept/confirm that that party wishes for email to be sent and ONLY from a email address stated This confirmation needs to be kept

Other problems happen when senders of mail don't send at least monthly and reciever forgets after a year or so

Senders of this email are responsible for providing an unsubscribe option in applicable mail, and for ensuring that the unsubscribe channel is functional

Or they are spamming

Saying something repeatedly doesn't make it so, Merlyn. The JAlbum folks are NOT spamming. They are sending out a newletter to their large base of registered users, many who have forgotten that they registered. As for the spamtrap hit (and it seems to have only been one), I don't have enough information to do more than speculate how that might have happened. I'm waiting to hear from the owner/operator of JAlbum on that issue. All of the other evidence points to innocence on their part.

DT

I remember another instance where a newsletter was sent so irregularly that many people forgot they signed up. I believe that 'best practices' includes regular mailings, partly so people remember and partly so that if email addresses have been changed, that the mailing list manager is aware. Some of those people who are reporting may, in fact, not be signed up, but have chosen the same address as someone who signed up, but changed their address.

The spam trap address is another problem. The most likely way to have a spam trap address is to not use a confirmation email.

And, if they are not using a confirmation email, then they are 'spamming' - at least not using good practices.

Miss Betsy

Yes, it would be nice if everyone adhered to "best practices," but those practices have been a bit of a "moving target" in the last few years. The list of addresses used by this sender probably predates the general acceptance of some of those practices. Here's how he answered me in his public support forum:


I followed up with a response suggesting that he work with the Deputies to see what he can do, short of dumping his entire list and starting over. He might need to do an "after-the-fact" confirmation, in which he sends out a message to the effect that the recipient will have to take an action to *remain* subscribed to his messages, and then remove all those addresses for which the action is not taken. However, in order to make sure that such a message could go out, he'd have to get some sort of "special dispensation" from the SC Deputies lest a spamtrap hit put his IP immediately on the SCBL, thus causing many people not to receive and/or see the message. But that's between him and SpamCop.

DT

There is no need to contact the deputies. If he's reading his email, he has my email address. As you know, I copied him on the email I sent to you where I suggested that he could probably fix the problem by just deleting any new (unconfirmed) subscribers.

- Don -

That's not my interpretation, Don. When you wrote this:


You didn't seem to be aware that JAlbum seldom sends out such broadcast emails. I think the last one that they sent was last Summer, so the 90-day window is meaningless, because they didn't send anything during that period of time. Furthermore, it's also possible that their IP address and/or server situation has changed since the prior broadcasts. The Senderbase page on the current IP shows that the first time it was detected sending messages was 2006-08-08. They very well could have been landing on the SCBL each time they've sent out one of these sporadic messages in the past, so yes, I think that the owner of JAlbum would be well advised to do as I've suggested and work with the Deputies on some sort of after-the-fact confirmation of his entire list. If he doesn't, then the next time he transmits an email like this, his IP will very likely land on the SCBL again, meaning that many recipients will have trouble receiving the information.

DT

Just so there's no confusion about our trap addresses...

We do have a bunch of 16-character bait addresses, but the vast majority of our spamtraps are simply the nonexistent (never existed) addresses at small vanity domains owned by us or our associates around the world. If a spammer is using "guessing" software on a trap domain, pretty much everything he sends in that run will go straight to our trap system.

In this case, JAlbum is accepting forged subscriptions. Visitors are making up what they think are fake email addresses in order to get services from his web site without giving up their real email address.

Unfortunately for JAlbum, in this instance the domain in the forgery belongs to us and feeds our trap system.

SpamCop is typically just the tip of the iceberg in situations like this. There are likely hundreds, if not thousands, of other forged email addresses on the JAlbum list from people signing up their friends and enemies so they can download stuff without getting any email about it.

- Don -

Sounds perfectly logical, and I agree that he should be confirming those addresses. But given the situation he's in, the best thing for him to do, IMO, would be to send out a single "after-the-fact" confirmation message to his whole list, advising eveyone that wishes to remain on his list that they must take an affirmitve action to do so (either reply to the email or click on a link coded with their address). However, he won't be able to do this successfully unless you were to give him some sort of one-time "pass" on the spamtraps so that his IP wouldn't hit the SCBL part way through the delivery process, as it clearly did during his newsletter broadcast. I have no idea if you'd be open to such a negotiated process with him, which is why I've suggested that he get in touch with you.

Regarding the download/registration issue for JAlbum....it's entirely optional, so it doesn't make sense that people would be entering random/bogus addresses, because they're not being asked for and address in the first place. Take a look at his download page:

http://jalbum.net/download/

DT

I don't know if you meant the part about bringing the deputies into this, but I am the one handling this issue and there is no need to bring the deputies into it.

By golly, you've got me there! All that is definitely possible, or even likely. I noticed in the text of the newsletter where JAlbum said it had been a long time since the last newsletter, but I figured he meant like two weeks or something.

I might be inclined to help him out on a one-time basis if he wants to make some changes. However, you appear to be the only one concerned about this. I'm not so sure Mr. Ekholm gives a rats. I haven't heard from him yet. And if there was a problem in the past, nobody appears to have said anything about it.

I searched our email archives, which go back a long ways. There's nothing either to or from any address @jalbum.net, and the only mention of JAlbum is in the recent traffic between you and I.

There were some things that needed clarification.

It's always good to take a quote out of one of my emails and post it in public without my permission. It increases the chances of you never getting email from me again.

- Don -

Just to emphasise the point, he should also be pro-actively checking that his unsubscribe option actually works as mentioned earlier as I frequently come across the situation where I receive email from a source that I assess as reputable where I can't remember ever subscribing, but might have done at some time in the past so I always give them the benefit of the doubt and unsubscribe. All too often the unwanted mail still keeps coming.

I remember once, a long time ago, before the forum even, that someone got on the scbl because the unsubscribe was broken - which he discovered after getting on the scbl. He got no sympathy from any of the other posters. Just like admins with a computer that is compromised get no sympathy. Maybe some practical advice, but hey, if spam is coming because of a breakdown, sorry, but we want your IP address on the scbl.

Miss Betsy

...and I was similarly the only one who brought up the issue with the SCBL listing of OpenOffice.org, which had *some* similarities to this situation, but also some differences.


Thanks for doing so.


Sorry that bugs you so much. I removed the less informational of the two quotes above, if you'd care to remove it from your response....your choice.

Of course, in both of these recent cases, you've exposed my private email adress to the various SpamCop reporting system users without my permission, by replying not just to me and to the server admins involved, but also by CC'ing the report-related addresses (ie 123456789[at]reports.spamcop.net). I don't know those people, and they don't know me, but now they've got my personal email address on their computers, which may be infected zombies, for all we know. You could have sent them the information in a separate communication, yet you exposed my address instead.

DT

You don't get any sympathy from me. You're the one who complained, so you were the focus of my response, which included reaching out to involved users. Next time, leave the complaining to the server admin and I'll focus on him instead.

- Don -

I wasn't holding my breath, waiting for any.

DT

What I didn't add is if the mail keeps coming I report it of course - there is no excuse for a bogus or broken unsubscribe link - these things should be checked by the mailer by unsubscribing check emails.

Yeah... unsub links can be nice -- IF they work, or as long as they don't necessarily require you to log in. Monster, USAJobs, and other job sites tend to want you to log in to remove yourself from their mailing list.

I started a new job last month as the IT Manager for a small carpet company. The previous IT manager was subscribed to all sorts of things like Monster.com job alerts, USAJobs job alerts, Focus on the Family, 1800flowers, etc. Some of these are easy to get off of, but others are a real PITA if you don't have the login info!

I would say that one should be able to unsubscribe just by putting the email address into a box on a website and clicking "unsubscribe."

Marketing Manager Are you serious? That would make it too easy for someone to unsubscribe anyone else's e-mail address ..... we can't have that happening! No, no,no .. we have to make really, really sure that the person unsubscribing is really the same person that subscribed!!!!

But chances are we didn't make really really sure that the person subscribing really owns the email address that was subscribed in the first place, and that they really want our garbage, so it all evens out in the end.

In seriousness, an unsubscibe link in the emails that has a verification code much like a subscription confirmation would prevent a malicious user from unsubscribing everyone from a legitimate company's mailing list, and still wouldn't require any kind of login credentials.

Why assume all are lying?



I DO actually care a lot about this issue and I'm grateful for DavidT's help on this matter. I hope you stand by your offering to have the spam trap owners to unsubscribe from our opt-in mail list. We will soon implement a confirmation email procedure to avoid getting spamtrap addresses in future mailouts, but it is a pity that those 99.9% users who really want the mailout have to take this extra step to confirm such an email because of your practices.

Its always a good idea to confirm a subscription anyway. Since many people will always fill in an email address on a registration form with a fake email (even if the field is not required). It is also possible for someone to maliciously enter email addresses that they know are spamtraps to try to poison a list. Best practice for any mailing list is to always confirm a subscription, and not just because of spamcop.

I don't think that it is only spamcop who lists emails that go to spamtraps or spamcop reporters who report emails that they never subscribed to. Spamcop listing is usually an early warning sign and if the problem is not corrected, other blocklists start listing that IP address. Other blocklists are not as easy to get off since they are not automatic the way spamcop is.

Yes, it would be nice if everyone used only the email address and never made a typo and nobody ever maliciously signed up other people or mailing list merchants didn't get addresses from spiders who canvass the web. It would also be nice if nobody ever tried to cash a check on an account with no funds or use someone else's credit card or tried people's doors to see if they are unlocked or stole cars with the keys left in them.

Using confirmation emails to be sure that the person signing up really intended to and eliminating addresses from the mailing list that bounce and other 'best practices' is the same as locking doors, showing ids, etc. offline. It is merely prudent and customers realize that those who use good practices are also probably just as careful about revealing email or other information that they submit.

Miss Betsy

The correct way would be

There is an unsubscribe button, field where you can enter email address.
Once you enter the email address and hit the unsubscribe button, there will be a confirmation email that you have to answer.
Once the confirmation email is correctly answered, the email address is unsubscribed.

This is how most of the mailing lists (that I am part of) operate.

Another JAlbum newsletter came out yesterday, and a check of the SpamCop reporting history on their IP address turned up three false spam reports, so I'm notifying the owner of JAlbum once again that this ongoing problem hasn't yet been fully solved. I'm also notifying the three false reporters and hope that the Deputies take a good look at the other stuff that they are reporting. Here's what I sent:

I just checked out this site and you seem to be automatically added to their mailing list just for requesting the software:


So if I want the hosting account but don't want the newsletter, I need to signup and remember to unsubscribe to the newsletter. There is no option on the signup page not to get the newsletter.

I did not signup that way. I went through the support forum signup only, where there is no indication of a newsletter. I will report here if I get any unsolicited newsletters.

That statement doesn't seem to agree with this phrase that you quoted from the JAlbum website, Steven:


Apparently so, but the newsletter is mentioned, so it's no secret, and each one is sent out with this at the top:

Steven further wrote:

Fine, and I can also put you in touch with David Eckholm, the owner, in case you think his procedures don't meet your standards.

Plain and simple, he's simply NOT a spammer, and doesn't go around harvesting addresses and sending them commercial email addresses. He's only trying to communicate with his user base. His methods might not be perfect, but he has responded in a positive and responsible manner in the past and will most likely continue to do so. This is one of the cases of false reporting that I've "adopted" because I like the idea of freeware and open source software and don't like it when SpamCop users muck up communications from those sources by batch-reporting without due diligence.

DT

And I am simply testing that theory.

Without feedback from the reporters, I do not feel comfortable calling them irresponsible. You apparently do. It is possible the reports were in error, but it is also possible that THEY did NOT sign up and they still received the email, making it prefectly acceptable to report.

I have received many unsolicited emails from what appear to be "legitimate" sources. Usually, I take it as a teaching time to explain to them why what they are doing is wrong. I also did a test once on an email address that had been returning undeliverable messages for more than 2 years (person left the company) and when turned back on, was still subscribed to several (5 that I counted) major newsletters in just the week I watched it. If I had given that address to another user (the reason for my test, different person, same standard email address), they would have been swamped with legitimate newsletters THEY did not request.

...and from the many cases of such false reporting that I've enountered over the years, I'd elevate that past possible to very likely, but then, I'm probably acting a bit like those Blackwater thugs -- shooting first....but then, I'm not killing innocent people.

DT

He may be responsible. There are lots of 'responsible' people who don't intend to spam who do send unsolicited email to people who didn't ask for it and don't want it. Ignorance of the latest quirks is no excuse - like the people who still accept email and then send an email 'bounce' to the forged return path.

And, that's one of the mainsleaze tricks - to sign you up to newsletters and who knows what just because you request or buy something. I won't shop at Target or Chadwick's online because to 'unsubscribe' is tortuous. Maybe it's changed now, but 'best practices' is to give you a clear choice which they didn't a few years ago. Some people won't shop with Amazon for the same reason. For some reason, I get a Plow & Hearth email every once in a while and as far as I know I never even bought anything from them. I get another one that I mark as spam every once in a while on hotmail and as stringent as hotmail is, they still come through. Again, as far as I know, I never had a prior relationship with them.

Spam is unsolicited, unwanted email. If it is not obvious that you will get emails when you download or buy AND have a choice to say 'no', then it is likely that a recipient will consider an email spam. The ONLY way that emails should be sent is by Confirmed Subscription. And also that bounces are removed in case someone has forgotten to change all their newsletters when they changed their email address.

If I didn't knowingly sign up for emails, I consider them spam. I don't report unsolicited emails from people whom I have done business with because most ISPs won't do anything. But I have written snail mail letters to corporate headquarters and, as I said, I don't buy from, at least two, because I thought they should have known better. Other reporters continue to report without manually notifying them. IMHO, that's not the best method.

Miss Betsy

Miss Betsy,
I agree with much of what you wrote, but not 100%, because this isn't a perfect world, and because I'm no longer an "absolutist" when it comes to spam. I'm picking my battles, and giving some people the "benefit of the doubt," where previously I might not have.

DT

...Dogma aside and while I'm inclined to agree with StevenUnderwood and Miss Betsy here (I'm as dogmatic as they come in terms of my definition of spam), I have to say that I appreciate DT's efforts to try to fix these misunderstandings.
...FWIW, I generally don't report as spam any communications from anyone with whom I may have a relationship (especially since my wife doesn't always remember to tell me that she's used my e-mail address when she signed up for notifications from the places she likes to shop - she doesn't do e-mail <g>).

Hi, DT!
...This, from your first post in this Forum thread, kinda sounds "absolutist" in the other direction:This is what I was thinking about when I wrote, immediately above, "Dogma aside ..." -- that you were being somewhat dogmatic in your zeal to characterize misreporting and go after the perpetrators (not that I'm against that -- I agree that such misreporting hurts all of us).

As DT says, it's not a perfect world. One of the first discussions about the subject of reporters not being careful about what they submit was started by the manager of a /paid/ newsletter.

My contention is that spammers, like bad check artists, have created a problem where both legitimate vendors and customers are inconvenienced by the necessary practices to avoid the problem. I hate it when someone requires me to provide a photo id to use a check to purchase something. The problem with spam is a little bit reversed. It is the recipient who is making the rules, rather than the vendor. But living with the rules is part of doing business whoever is instituting them. Like the legitimate vendor who is signing people up the easy way and is insulted that anyone would think he is a spammer, I don't like it when vendors treat me as though I were a criminal. However, I can't purchase anything with a check unless I go along with their rules.

IMHO, to keep to the 'spirit' of the internet, one should try the most polite way of handling any problems. If one has had a prior relationship, no matter how sneaky the other party is in not telling you that you have signed up for a newsletter or third party offers, then you should deal with it one on one and not drag a spam reporting service in. Now that is dogmatic!

OTOH, there are mechanisms for the server admin who is reported falsely to deal with it. Again, the polite way is to respond to the report. The boorish way is to complain to spamcop and get the reporter's privileges cancelled.

But, bottom line is that the *sending* end of unsolicited, unwanted email is the only place that the problem can be corrected and that the person who is sending the email is the one that gains from it. Sometimes it may not be a monetary gain, but still you can lead a horse to water but you can't make him drink. If people don't want to hear about your good news, then you can't force them to.

And, while spamcop reporters can be identified and stopped from 'bad' reporting, there are numerous people who are pushing those 'this is spam' button in hotmail, yahoo, gmail, and other email services. No one can tell what effect they have. My husband gets some kind of report that he wants that comes to a hotmail address. The person sending it almost dropped us because some of his hotmail recipients weren't getting it - even when they marked his address as a 'favorite.' I don't know what happened, but I tried to persuade him to talk to hotmail. He wasn't thrilled about that, but since we now continue to get them, I guess he and hotmail worked out a plan. I was sure that the troubles happened because some inadvertently tagged it as spam, but unlike spamcop, hotmail won't tell you why you don't get email sent to you that is legitimate.

Like getting an infected machine and then getting a spamcop report is an early warning signal before one gets on other lists, mailing list managers should view spamcop reports as an early warning signal even if it turns out to be a false alarm and is totally a reporter error. The one time I reported a legitimate email as spam was years ago. Again, it was from a company that I dealt with, but a really large one that a spammer could gamble on my dealing with them and I wasn't expecting to get email from them - it was a survey. I didn't report the first email because it wasn't 'spammy' enough, but I did report the second one because it had a link to a 'free' prize if I completed the survey. After he cooled off, the mailing list manager said that that why I had reported was good to know. I haven't had very many email surveys from anyone since then so I probably wasn't the only one who was suspicious and none from companies that don't send me regular emails.

Dealing directly with the company who sends you email you don't want is part of the work of being an anti-spammer. Dealing with reporters who aren't perfect is part of the work of having a mailing list.

Miss Betsy

Very reasonable post, Miss Betsy...not a bit of that "everything is black and white" stuff that is so often seen from some of our more "rabid" friends in the anti-spamming community.


Exactly. Spammers have ruined it for everyone, making email communications far less reliable than they should be.


Bingo. The old advice to "never unsubscribe" is dogmatic and too extreme, IMO. For me, it depends upon how they got my address in the first place. If it looks to have been bought ("18 million addresses" etc.) and my business-related address was on one of those lists, then I've gotten pretty aggressive in the past, working my way through ISP contacts and getting people's service shut down. However, I usually go to the source (when it involves mainsleaze stuff) and give them a chance to tell me why I shouldn't go for blood. In many cases, I've gotten them to change their practices, delete lists, apologize, etc.


Yes, wouldn't that be nice, but out of the thousands and thousands of reports I've submitted over the years, I can probably count the responses I've received on one hand, so it's just not happening.


I've personally managed a variety of lists, some with thousands of recipients, and have had frequent delivery issues with Hotmail, Yahoo, and AOL over the years. People with those addresses should simply expect that they're going to lose desired mail randomly, but most are unaware that it happens.


Unfortunately, the managers of mailing lists usually don't ever see those reports, which get (mis)handled by server admins....if the server admins actually get to see the reports, which are often sent upstream, to the connectivity providers, who similarly (mis)handle them.


I've done that many times, but what I've been labeling "bogus reports" are often submitted in error, such as when a SpamCop email customer submits their entire Held mail collection without looking for false positives. And then there are the extremists who insist on reporting everything they consider to be spam, even when some of it might be in a gray area. Seems that you are capable of more evolved thinking, past the "black or white" mentality.

DT

...Agreed that "Never unsubscribe" is dogmatic and extreme. For the record, though, the suggestion I see most often is (I'm paraphrasing) "never unsubscribe to something to which you never subscribed," which is much less extreme.

Yes, less extreme, but still too absolute for me. I prefer to take each situation as it comes and apply my own judgement about how to respond, rather than following any prescribed "rule of thumb."

DT

I don't know, it seems like a pretty black and white issue to me. Either I subscribed to receive mail from a particular individual or organization, or I did not. I don't see any way that I could "sort of" subscribe... Now, on the other hand, if I'm receiving email because I put my email address into a registration form, and failed to read the privacy policy that I agreed to by submitting the information, then it is my own fault for not knowing exactly what I was asking for. But again, technically I did subscribe to it at that point.

A good idea for any mail list admin is to start off with a paragraph explaining why I received the email:

"You are receiving this email because you signed up to receive this information when you download [insert free download here] from someplace.com. If you no longer wish to receive this information, please unsubscribe using the unsubscribe instructions at the bottom of this email."

This should be at the TOP as most people aren't going to bother scrolling down to see if the information is included somewhere, but I think most people will at least glance at the first paragraph or so of any "questionable" email to determine if it is really something they signed up for.

From the earlier discussion here, it sounds like this list might not be using some best practices, like signup confirmation emails. Again, ignorance != innocence. If you want your newsletter delivered reliably, you need to make sure to follow best practices for mailing lists.

I loaded JAlbum and the first thing it tried to do was phone home. Naturally I did not let it. Why does it do this?

Very good...you're venturing away from the "black or white" into the gray area... :-)


They are now...they've been around a long time and weren't using the best practices initially.

DT


Most likely to check for updates. Freeware and Shareware can be downloaded from a lot of third-party sites, and its easy to wind up downloading a "stale" version, so I've seen many programs "phone home" to check if there's an updated version available.

DT

It seems to be decent but it should not be looking for updates or anything else beyond my machine unless it asks for approval first.

The software has a support forum...if you're concerned or curious, I'd suggest you ask there. My Apple software just "phoned home" and told me I needed a security update for iTunes...it told me it was there, and didn't ask first if it could check. My Micro$loth software (operating system) frequently contacts Redmond to see if there are security updates....it's doesn't ask my permission first. I have lots of other software that does the same...it's not at all unusual.

DT

When all recent versions of Windows is first installed, it does not do automatic updates but asks you to setup either automatic updates, download only, check only and notify, or nothing. Normally, you would setup whichever version suits your preferences and network capabilities.

My iTunes had the same thing the first time it was run.

Both of those likely were approved before it accessed the internet the first time. I don't know anything about JAlbum software (and am not interested).

Of course, but they strongly recommend that you allow the process to be automatic, and that kind of array of choices, while not unusual, is far from universal. Anti-virus programs tend to "phone home" in the background, which is generally a good thing, lest the user forget to check for updates regularly. I've got a Java update notification from Sun sitting in my System Tray at the moment, yet another one that periodically "phones home." My point is that it's not at all unusual, and yet if Merlyn has questions or concerns about it, I pointed him to a good source of assistance.

DT

I think this is the crux of the issue here. I had a similar situation a while back, where I started receiving spam from a golf equipment supplier. Reported it via Spamcop, and got an email back from the Deputies after a couple of days saying the sender was claiming I had subscribed and was false-reporting, and would I please explain.

When I looked into it I found that this company had an online golf game, which you could only play if you entered an email address. Well, of course nobody in their right mind is going to leave their real address, so somebody used anyoldname[at]mydomain.com. And of course the golf supplier didn't do any sort of verification of the address, and I start getting newsletters I had never signed up for ....

But of course for me this IS spam, and this may well be the same for the other reporters in this particular case. Just because some people would find a golf newsletter interesting, and just because the supplier is "legitimate" and trying his best, doesn't mean that people receiving mail they have never signed up for from a clueless admin should be vilified for reporting it as spam.

And just out of interest, I am not a rabid anti-spammer and in this particular case once I had established that they were indeed "genuine but clueless" I gave them my address so they could unsubscribe me, together with some advice on how to clean up their list and verify addresses properly in the future.