False reporting of newsletters puts "JAlbum" on Blocklist

[Telarin]

Marketing Manager Are you serious? That would make it too easy for someone to unsubscribe anyone else's e-mail address ..... we can't have that happening! No, no,no .. we have to make really, really sure that the person unsubscribing is really the same person that subscribed!!!!

But chances are we didn't make really really sure that the person subscribing really owns the email address that was subscribed in the first place, and that they really want our garbage, so it all evens out in the end.

In seriousness, an unsubscibe link in the emails that has a verification code much like a subscription confirmation would prevent a malicious user from unsubscribing everyone from a legitimate company's mailing list, and still wouldn't require any kind of login credentials.

[davidekholm]

By golly, you've got me there! All that is definitely possible, or even likely. I noticed in the text of the newsletter where JAlbum said it had been a long time since the last newsletter, but I figured he meant like two weeks or something.

Why assume all are lying?

I might be inclined to help him out on a one-time basis if he wants to make some changes. However, you appear to be the only one concerned about this. I'm not so sure Mr. Ekholm gives a rats. I haven't heard from him yet. And if there was a problem in the past, nobody appears to have said anything about it.

I DO actually care a lot about this issue and I'm grateful for DavidT's help on this matter. I hope you stand by your offering to have the spam trap owners to unsubscribe from our opt-in mail list. We will soon implement a confirmation email procedure to avoid getting spamtrap addresses in future mailouts, but it is a pity that those 99.9% users who really want the mailout have to take this extra step to confirm such an email because of your practices.

[Telarin]

Its always a good idea to confirm a subscription anyway. Since many people will always fill in an email address on a registration form with a fake email (even if the field is not required). It is also possible for someone to maliciously enter email addresses that they know are spamtraps to try to poison a list. Best practice for any mailing list is to always confirm a subscription, and not just because of spamcop.

[Miss Betsy]

Why assume all are lying?

I DO actually care a lot about this issue and I'm grateful for DavidT's help on this matter. I hope you stand by your offering to have the spam trap owners to unsubscribe from our opt-in mail list. We will soon implement a confirmation email procedure to avoid getting spamtrap addresses in future mailouts, but it is a pity that those 99.9% users who really want the mailout have to take this extra step to confirm such an email because of your practices.

I don't think that it is only spamcop who lists emails that go to spamtraps or spamcop reporters who report emails that they never subscribed to. Spamcop listing is usually an early warning sign and if the problem is not corrected, other blocklists start listing that IP address. Other blocklists are not as easy to get off since they are not automatic the way spamcop is.

Yes, it would be nice if everyone used only the email address and never made a typo and nobody ever maliciously signed up other people or mailing list merchants didn't get addresses from spiders who canvass the web. It would also be nice if nobody ever tried to cash a check on an account with no funds or use someone else's credit card or tried people's doors to see if they are unlocked or stole cars with the keys left in them.

Using confirmation emails to be sure that the person signing up really intended to and eliminating addresses from the mailing list that bounce and other 'best practices' is the same as locking doors, showing ids, etc. offline. It is merely prudent and customers realize that those who use good practices are also probably just as careful about revealing email or other information that they submit.

Miss Betsy

[kamaraju]

Marketing Manager Are you serious? That would make it too easy for someone to unsubscribe anyone else's e-mail address ..... we can't have that happening! No, no,no .. we have to make really, really sure that the person unsubscribing is really the same person that subscribed!!!!

The correct way would be

There is an unsubscribe button, field where you can enter email address.

Once you enter the email address and hit the unsubscribe button, there will be a confirmation email that you have to answer.

Once the confirmation email is correctly answered, the email address is unsubscribed.

This is how most of the mailing lists (that I am part of) operate.

[DavidT]

Another JAlbum newsletter came out yesterday, and a check of the SpamCop reporting history on their IP address turned up three false spam reports, so I'm notifying the owner of JAlbum once again that this ongoing problem hasn't yet been fully solved. I'm also notifying the three false reporters and hope that the Deputies take a good look at the other stuff that they are reporting. Here's what I sent:

To: David Ekholm

Subject: More false SpamCop reports of JAlbum newsletter

CC: Bahnhof.se Abuse, SpamCop Deputies, three false reporters

David,

I checked the SpamCop reporting database, and there have been three more false reports of your newsletters as spam:

Submitted: Wednesday, October 03, 2007 9:37:54 PM -0700:

JAlbum Newsletter - October

* 2537680352 ( 213.136.35.49 ) To: ripe[at]bahnhof.se

Submitted: Wednesday, October 03, 2007 8:17:24 PM -0700:

JAlbum Newsletter - October

* 2537583087 ( 213.136.35.49 ) To: ripe[at]bahnhof.se

Submitted: Wednesday, October 03, 2007 8:17:20 PM -0700:

JAlbum Newsletter - October

* 2537583158 ( 213.136.35.49 ) To: ripe[at]bahnhof.se

They are all submitted to <ripe[at]bahnhof.se>, so you should contact Bahnhof for details of the reports, which include information about disputing the false reports to SpamCop. I'm copying this to the SpamCop Deputies and Bahnhof so that they will be aware of the false reporting. I am also copying the temporary email addresses related to the three SpamCop users who have filed the false reports, so that they will be aware that they are making false reports. Those addresses are:

2537680352[at]reports.spamcop.net

2537583087[at]reports.spamcop.net

2537583158[at]reports.spamcop.net

You may also wish to write to them and ask that their either unsubscribe from your newsletter or stop reporting the newsletters as if they were spam.

Peace,

DT

SpamCop user and JAlbum user

[StevenUnderwood]

Another JAlbum newsletter came out yesterday, and a check of the SpamCop reporting history on their IP address turned up three false spam reports, so I'm notifying the owner of JAlbum once again that this ongoing problem hasn't yet been fully solved. I'm also notifying the three false reporters and hope that the Deputies take a good look at the other stuff that they are reporting. Here's what I sent:

I just checked out this site and you seem to be automatically added to their mailing list just for requesting the software:

Signing up is optional, but by doing so:

You get a free 30 MB (≈ 200 images) JAlbum hosting account for your albums. (Max one free account per person.)

You can ask questions in the support forum

You will be notified about updates

You can rate and comment other users' skins or upload yours'

On occasion (maximum once a month) you receive the JAlbum newsletter with valuable hints on how to improve your albums, skin news and related services

So if I want the hosting account but don't want the newsletter, I need to signup and remember to unsubscribe to the newsletter. There is no option on the signup page not to get the newsletter.

I did not signup that way. I went through the support forum signup only, where there is no indication of a newsletter. I will report here if I get any unsolicited newsletters.

[DavidT]

I just checked out this site and you seem to be automatically added to their mailing list just for requesting the software

That statement doesn't seem to agree with this phrase that you quoted from the JAlbum website, Steven:

Signing up is optional

So if I want the hosting account but don't want the newsletter, I need to signup and remember to unsubscribe to the newsletter.

Apparently so, but the newsletter is mentioned, so it's no secret, and each one is sent out with this at the top:

(Please see bottom of this email for unsubscribe instructions if you receive this email in error)

Steven further wrote:

I did not signup that way. I went through the support forum signup only, where there is no indication of a newsletter. I will report here if I get any unsolicited newsletters.

Fine, and I can also put you in touch with David Eckholm, the owner, in case you think his procedures don't meet your standards.

Plain and simple, he's simply NOT a spammer, and doesn't go around harvesting addresses and sending them commercial email addresses. He's only trying to communicate with his user base. His methods might not be perfect, but he has responded in a positive and responsible manner in the past and will most likely continue to do so. This is one of the cases of false reporting that I've "adopted" because I like the idea of freeware and open source software and don't like it when SpamCop users muck up communications from those sources by batch-reporting without due diligence.

DT

[StevenUnderwood]

Plain and simple, he's simply NOT a spammer, and doesn't go around harvesting addresses and sending them commercial email addresses.

And I am simply testing that theory.

Without feedback from the reporters, I do not feel comfortable calling them irresponsible. You apparently do. It is possible the reports were in error, but it is also possible that THEY did NOT sign up and they still received the email, making it prefectly acceptable to report.

I have received many unsolicited emails from what appear to be "legitimate" sources. Usually, I take it as a teaching time to explain to them why what they are doing is wrong. I also did a test once on an email address that had been returning undeliverable messages for more than 2 years (person left the company) and when turned back on, was still subscribed to several (5 that I counted) major newsletters in just the week I watched it. If I had given that address to another user (the reason for my test, different person, same standard email address), they would have been swamped with legitimate newsletters THEY did not request.

[DavidT]

It is possible the reports were in error

...and from the many cases of such false reporting that I've enountered over the years, I'd elevate that past possible to very likely, but then, I'm probably acting a bit like those Blackwater thugs -- shooting first....but then, I'm not killing innocent people.

DT

[Miss Betsy]

<snip>

Plain and simple, he's simply NOT a spammer, and doesn't go around harvesting addresses and sending them commercial email addresses. He's only trying to communicate with his user base. His methods might not be perfect, but he has responded in a positive and responsible manner in the past and will most likely continue to do so.

He may be responsible. There are lots of 'responsible' people who don't intend to spam who do send unsolicited email to people who didn't ask for it and don't want it. Ignorance of the latest quirks is no excuse - like the people who still accept email and then send an email 'bounce' to the forged return path.

And, that's one of the mainsleaze tricks - to sign you up to newsletters and who knows what just because you request or buy something. I won't shop at Target or Chadwick's online because to 'unsubscribe' is tortuous. Maybe it's changed now, but 'best practices' is to give you a clear choice which they didn't a few years ago. Some people won't shop with Amazon for the same reason. For some reason, I get a Plow & Hearth email every once in a while and as far as I know I never even bought anything from them. I get another one that I mark as spam every once in a while on hotmail and as stringent as hotmail is, they still come through. Again, as far as I know, I never had a prior relationship with them.

spam is unsolicited, unwanted email. If it is not obvious that you will get emails when you download or buy AND have a choice to say 'no', then it is likely that a recipient will consider an email spam. The ONLY way that emails should be sent is by Confirmed Subscription. And also that bounces are removed in case someone has forgotten to change all their newsletters when they changed their email address.

If I didn't knowingly sign up for emails, I consider them spam. I don't report unsolicited emails from people whom I have done business with because most ISPs won't do anything. But I have written snail mail letters to corporate headquarters and, as I said, I don't buy from, at least two, because I thought they should have known better. Other reporters continue to report without manually notifying them. IMHO, that's not the best method.

Miss Betsy

[DavidT]

Miss Betsy,

I agree with much of what you wrote, but not 100%, because this isn't a perfect world, and because I'm no longer an "absolutist" when it comes to spam. I'm picking my battles, and giving some people the "benefit of the doubt," where previously I might not have.

DT

[turetzsr]

...Dogma aside and while I'm inclined to agree with StevenUnderwood and Miss Betsy here (I'm as dogmatic as they come in terms of my definition of spam), I have to say that I appreciate DT's efforts to try to fix these misunderstandings.

...FWIW, I generally don't report as spam any communications from anyone with whom I may have a relationship (especially since my wife doesn't always remember to tell me that she's used my e-mail address when she signed up for notifications from the places she likes to shop - she doesn't do e-mail <g>).

<snip>

and because I'm no longer an "absolutist" when it comes to spam. I'm picking my battles, and giving some people the "benefit of the doubt," where previously I might not have.

<snip>

Hi, DT!

...This, from your first post in this Forum thread, kinda sounds "absolutist" in the other direction:

OK, so this one's not as egregious as the nitwits who put the OpenOffice.org email server on the SCBL because they were reporting newsletters they had subscribed to....but almost.

<snip>

This is what I was thinking about when I wrote, immediately above, "Dogma aside ..." -- that you were being somewhat dogmatic in your zeal to characterize misreporting and go after the perpetrators (not that I'm against that -- I agree that such misreporting hurts all of us).

[Miss Betsy]

As DT says, it's not a perfect world. One of the first discussions about the subject of reporters not being careful about what they submit was started by the manager of a /paid/ newsletter.

My contention is that spammers, like bad check artists, have created a problem where both legitimate vendors and customers are inconvenienced by the necessary practices to avoid the problem. I hate it when someone requires me to provide a photo id to use a check to purchase something. The problem with spam is a little bit reversed. It is the recipient who is making the rules, rather than the vendor. But living with the rules is part of doing business whoever is instituting them. Like the legitimate vendor who is signing people up the easy way and is insulted that anyone would think he is a spammer, I don't like it when vendors treat me as though I were a criminal. However, I can't purchase anything with a check unless I go along with their rules.

IMHO, to keep to the 'spirit' of the internet, one should try the most polite way of handling any problems. If one has had a prior relationship, no matter how sneaky the other party is in not telling you that you have signed up for a newsletter or third party offers, then you should deal with it one on one and not drag a spam reporting service in. Now that is dogmatic!

OTOH, there are mechanisms for the server admin who is reported falsely to deal with it. Again, the polite way is to respond to the report. The boorish way is to complain to spamcop and get the reporter's privileges cancelled.

But, bottom line is that the *sending* end of unsolicited, unwanted email is the only place that the problem can be corrected and that the person who is sending the email is the one that gains from it. Sometimes it may not be a monetary gain, but still you can lead a horse to water but you can't make him drink. If people don't want to hear about your good news, then you can't force them to.

And, while spamcop reporters can be identified and stopped from 'bad' reporting, there are numerous people who are pushing those 'this is spam' button in hotmail, yahoo, gmail, and other email services. No one can tell what effect they have. My husband gets some kind of report that he wants that comes to a hotmail address. The person sending it almost dropped us because some of his hotmail recipients weren't getting it - even when they marked his address as a 'favorite.' I don't know what happened, but I tried to persuade him to talk to hotmail. He wasn't thrilled about that, but since we now continue to get them, I guess he and hotmail worked out a plan. I was sure that the troubles happened because some inadvertently tagged it as spam, but unlike spamcop, hotmail won't tell you why you don't get email sent to you that is legitimate.

Like getting an infected machine and then getting a spamcop report is an early warning signal before one gets on other lists, mailing list managers should view spamcop reports as an early warning signal even if it turns out to be a false alarm and is totally a reporter error. The one time I reported a legitimate email as spam was years ago. Again, it was from a company that I dealt with, but a really large one that a spammer could gamble on my dealing with them and I wasn't expecting to get email from them - it was a survey. I didn't report the first email because it wasn't 'spammy' enough, but I did report the second one because it had a link to a 'free' prize if I completed the survey. After he cooled off, the mailing list manager said that that why I had reported was good to know. I haven't had very many email surveys from anyone since then so I probably wasn't the only one who was suspicious and none from companies that don't send me regular emails.

Dealing directly with the company who sends you email you don't want is part of the work of being an anti-spammer. Dealing with reporters who aren't perfect is part of the work of having a mailing list.

Miss Betsy

[DavidT]

Very reasonable post, Miss Betsy...not a bit of that "everything is black and white" stuff that is so often seen from some of our more "rabid" friends in the anti-spamming community.

My contention is that spammers, like bad check artists, have created a problem where both legitimate vendors and customers are inconvenienced by the necessary practices to avoid the problem.

Exactly. Spammers have ruined it for everyone, making email communications far less reliable than they should be.

If one has had a prior relationship, no matter how sneaky the other party is in not telling you that you have signed up for a newsletter or third party offers, then you should deal with it one on one and not drag a spam reporting service in.

Bingo. The old advice to "never unsubscribe" is dogmatic and too extreme, IMO. For me, it depends upon how they got my address in the first place. If it looks to have been bought ("18 million addresses" etc.) and my business-related address was on one of those lists, then I've gotten pretty aggressive in the past, working my way through ISP contacts and getting people's service shut down. However, I usually go to the source (when it involves mainsleaze stuff) and give them a chance to tell me why I shouldn't go for blood. In many cases, I've gotten them to change their practices, delete lists, apologize, etc.

OTOH, there are mechanisms for the server admin who is reported falsely to deal with it. Again, the polite way is to respond to the report.

Yes, wouldn't that be nice, but out of the thousands and thousands of reports I've submitted over the years, I can probably count the responses I've received on one hand, so it's just not happening.

The person sending it almost dropped us because some of his hotmail recipients weren't getting it

I've personally managed a variety of lists, some with thousands of recipients, and have had frequent delivery issues with Hotmail, Yahoo, and AOL over the years. People with those addresses should simply expect that they're going to lose desired mail randomly, but most are unaware that it happens.

mailing list managers should view spamcop reports as an early warning signal even if it turns out to be a false alarm and is totally a reporter error

Unfortunately, the managers of mailing lists usually don't ever see those reports, which get (mis)handled by server admins....if the server admins actually get to see the reports, which are often sent upstream, to the connectivity providers, who similarly (mis)handle them.

Dealing directly with the company who sends you email you don't want is part of the work of being an anti-spammer.

I've done that many times, but what I've been labeling "bogus reports" are often submitted in error, such as when a SpamCop email customer submits their entire Held mail collection without looking for false positives. And then there are the extremists who insist on reporting everything they consider to be spam, even when some of it might be in a gray area. Seems that you are capable of more evolved thinking, past the "black or white" mentality.

DT

[turetzsr]

<snip>

The old advice to "never unsubscribe" is dogmatic and too extreme, IMO.

<snip>

...Agreed that "Never unsubscribe" is dogmatic and extreme. For the record, though, the suggestion I see most often is (I'm paraphrasing) "never unsubscribe to something to which you never subscribed," which is much less extreme.

[DavidT]

For the record, though, the suggestion I see most often is (I'm paraphrasing) "never unsubscribe to something to which you never subscribed," which is much less extreme.

Yes, less extreme, but still too absolute for me. I prefer to take each situation as it comes and apply my own judgement about how to respond, rather than following any prescribed "rule of thumb."

DT

[Telarin]

I don't know, it seems like a pretty black and white issue to me. Either I subscribed to receive mail from a particular individual or organization, or I did not. I don't see any way that I could "sort of" subscribe... Now, on the other hand, if I'm receiving email because I put my email address into a registration form, and failed to read the privacy policy that I agreed to by submitting the information, then it is my own fault for not knowing exactly what I was asking for. But again, technically I did subscribe to it at that point.

A good idea for any mail list admin is to start off with a paragraph explaining why I received the email:

"You are receiving this email because you signed up to receive this information when you download [insert free download here] from someplace.com. If you no longer wish to receive this information, please unsubscribe using the unsubscribe instructions at the bottom of this email."

This should be at the TOP as most people aren't going to bother scrolling down to see if the information is included somewhere, but I think most people will at least glance at the first paragraph or so of any "questionable" email to determine if it is really something they signed up for.

From the earlier discussion here, it sounds like this list might not be using some best practices, like signup confirmation emails. Again, ignorance != innocence. If you want your newsletter delivered reliably, you need to make sure to follow best practices for mailing lists.

[Merlyn]

I loaded JAlbum and the first thing it tried to do was phone home. Naturally I did not let it. Why does it do this?

[DavidT]

Now, on the other hand, if I'm receiving email because I put my email address into a registration form, and failed to read the privacy policy that I agreed to by submitting the information, then it is my own fault for not knowing exactly what I was asking for.

Very good...you're venturing away from the "black or white" into the gray area... :-)

From the earlier discussion here, it sounds like this list might not be using some best practices, like signup confirmation emails.

They are now...they've been around a long time and weren't using the best practices initially.

DT

I loaded JAlbum and the first thing it tried to do was phone home. Naturally I did not let it. Why does it do this?

Most likely to check for updates. Freeware and Shareware can be downloaded from a lot of third-party sites, and its easy to wind up downloading a "stale" version, so I've seen many programs "phone home" to check if there's an updated version available.

DT

[Merlyn]

It seems to be decent but it should not be looking for updates or anything else beyond my machine unless it asks for approval first.

[DavidT]

It seems to be decent but it should not be looking for updates or anything else beyond my machine unless it asks for approval first.

The software has a support forum...if you're concerned or curious, I'd suggest you ask there. My Apple software just "phoned home" and told me I needed a security update for iTunes...it told me it was there, and didn't ask first if it could check. My Micro$loth software (operating system) frequently contacts Redmond to see if there are security updates....it's doesn't ask my permission first. I have lots of other software that does the same...it's not at all unusual.

DT

[StevenUnderwood]

The software has a support forum...if you're concerned or curious, I'd suggest you ask there. My Apple software just "phoned home" and told me I needed a security update for iTunes...it told me it was there, and didn't ask first if it could check. My Micro$loth software (operating system) frequently contacts Redmond to see if there are security updates....it's doesn't ask my permission first. I have lots of other software that does the same...it's not at all unusual.

When all recent versions of Windows is first installed, it does not do automatic updates but asks you to setup either automatic updates, download only, check only and notify, or nothing. Normally, you would setup whichever version suits your preferences and network capabilities.

My iTunes had the same thing the first time it was run.

Both of those likely were approved before it accessed the internet the first time. I don't know anything about JAlbum software (and am not interested).

[DavidT]

When all recent versions of Windows is first installed, it does not do automatic updates but asks you to setup either automatic updates, download only, check only and notify, or nothing.

Of course, but they strongly recommend that you allow the process to be automatic, and that kind of array of choices, while not unusual, is far from universal. Anti-virus programs tend to "phone home" in the background, which is generally a good thing, lest the user forget to check for updates regularly. I've got a Java update notification from Sun sitting in my System Tray at the moment, yet another one that periodically "phones home." My point is that it's not at all unusual, and yet if Merlyn has questions or concerns about it, I pointed him to a good source of assistance.

DT

[Dangerman]

Its always a good idea to confirm a subscription anyway. Since many people will always fill in an email address on a registration form with a fake email (even if the field is not required). It is also possible for someone to maliciously enter email addresses that they know are spamtraps to try to poison a list. Best practice for any mailing list is to always confirm a subscription, and not just because of spamcop.

I think this is the crux of the issue here. I had a similar situation a while back, where I started receiving spam from a golf equipment supplier. Reported it via Spamcop, and got an email back from the Deputies after a couple of days saying the sender was claiming I had subscribed and was false-reporting, and would I please explain.

When I looked into it I found that this company had an online golf game, which you could only play if you entered an email address. Well, of course nobody in their right mind is going to leave their real address, so somebody used anyoldname[at]mydomain.com. And of course the golf supplier didn't do any sort of verification of the address, and I start getting newsletters I had never signed up for ....

But of course for me this IS spam, and this may well be the same for the other reporters in this particular case. Just because some people would find a golf newsletter interesting, and just because the supplier is "legitimate" and trying his best, doesn't mean that people receiving mail they have never signed up for from a clueless admin should be vilified for reporting it as spam.

And just out of interest, I am not a rabid anti-spammer and in this particular case once I had established that they were indeed "genuine but clueless" I gave them my address so they could unsubscribe me, together with some advice on how to clean up their list and verify addresses properly in the future.