Major E-mail Delivery for FTC DNCR Launch
Good Afternoon and forgive the new guy if I break any rules or conventions. I work for AT&T Government Solutions and we are about to launch the Do Not Call Registry for the Federal Trade Commission. At a high level this allows consumers to register their phone numbers to keep most telemarketers from calling their homes. Penalties for calling a consumer on the list can be $11K per call and enforcement begins in October. We are launching consumer registrations on Friday. My concern: - every registration using the web generates an email which must be opened to complete the registration process We are looking at the potential of MILLIONS OF EMAILS PER DAY beginning Friday. These will be from the same address and have the same subject line. I am worried about denial of service or blocking by spam filters if providers are not aware this is coming. I am hoping this group is a good medium to get the word out to inform the community of this impending event. At this time I am unable to provide the link or email address, but will do so on Thursday evening if it is of value. Any thoughts? Richard M. Callahan Client Business Manager AT&T Government Solutions Office: (703)506-5780 Mobile: (703)608-0665 Fax: (703)245-3749
On Wed, 25 Jun 2003, Callahan, Richard M, SOLGV wrote:
Good Afternoon and forgive the new guy if I break any rules or conventions.
I work for AT&T Government Solutions and we are about to launch the Do Not Call Registry for the Federal Trade Commission. At a high level this allows consumers to register their phone numbers to keep most telemarketers from calling their homes. Penalties for calling a consumer on the list can be $11K per call and enforcement begins in October.
And we thank you for it. If only you could apply this approach to spam... :(
We are launching consumer registrations on Friday. My concern:
- every registration using the web generates an email which must be opened to complete the registration process
We are looking at the potential of MILLIONS OF EMAILS PER DAY beginning Friday. These will be from the same address and have the same subject line.
I am worried about denial of service or blocking by spam filters if providers are not aware this is coming.
I am hoping this group is a good medium to get the word out to inform the community of this impending event.
At this time I am unable to provide the link or email address, but will do so on Thursday evening if it is of value.
Any thoughts?
Posting to the news.admin.net-abuse.email newsgroup would definitely be a good idea. The worst bunch to deal with is the SPEWS crew, and that's their only contact method. However, you don't really run too much risk; we provide co-location services for an organization that does large opt-in only mailings (financial services newsletters, catalogs, etc). They get almost NO complaints, which is absolutely amazing considering the amount of mail they send out. The complaints they do get are swiftly met with proof of opt-in, which you guys will obviously have. They haven't had problems with blacklists, and have been in business for several years. If you were to provide evidence of the request in the email that you send out, and considering that this is basically an anti-phone-spam service, I'm willing to wager your complaint rate will be very minimal, especially if the email arrives quickly after the request for processing. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 ---
One of my system admins passed the following, and he does have a point: You might pass back: The range of IP addresses that this stuff will be coming from, along with an assurance that only these mails will be coming from these servers would allow us to whitelist those addresses. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: ler@lerctr.org US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749
You might want to look at one of the professional whitelisting outfits. http://www.bondedsender.org http://www.habeas.com/ are two I know of that seem to be supported. -- Simon Lyall. | Newsmaster | Work: simon.lyall@ihug.co.nz Senior Network/System Admin | Postmaster | Home: simon@darkmere.gen.nz Ihug Ltd, Auckland, NZ | Asst Doorman | Web: http://www.darkmere.gen.nz
* Make sure repeated attempts to register the same e-mail address get throttled. Don't make the web server a way to e-mail bomb people. * Put in the e-mail a clear, short, easy to read over the phone link (http://www.yoursite.com/spam.html) that describes what action on the web site sends these e-mails, how to identify an e-mail as actually coming from the site, and where to report any sort of mailbombing (back to the first point). * Make sure your mail servers are squeeky clean. Forward and reverse match, valid MX's, they report their own name in SMTP headers, no "untrusted sender used -f", etc. Valid abuse@ for the machine name, and the parent domain are essential. Valid contacts for the domain and IP block are helpful. In general this sounds like a low-risk activity, as described. -- Leo Bicknell - bicknell@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org
On Wednesday, Jun 25, 2003, at 21:25 Canada/Eastern, Leo Bicknell wrote:
* Put in the e-mail a clear, short, easy to read over the phone link (http://www.yoursite.com/spam.html) that describes what action on the web site sends these e-mails, how to identify an e-mail as actually coming from the site, and where to report any sort of mailbombing (back to the first point).
Except possibly don't use the word "spam", or anything else that is liable to trip SpamAssassin and friends into giving your messages a high score (so references to abdominal anatomy and cable tv decoders are also probably unwise :). I'm frequently surprised that more people don't run their (legitimate, opt-in, whatever) bulk mail through SpamAssassin before they send it in order to see how spam-like it looks. I'm forever having to pick itineraries and electronic tickets from airlines out of my spam folder. Joe
Leo Bicknell wrote:
* Make sure your mail servers are squeeky clean. Forward and reverse match, valid MX's, they report their own name in SMTP headers, no "untrusted sender used -f", etc. Valid abuse@ for the machine name, and the parent domain are essential. Valid contacts for the domain and IP block are helpful.
In addition to having all the above properly setup so that your mail servers appear squeekly clean from the outside, make sure they ARE squeeky clean - on the inside. You may wish to raise this issue on the spam-l mailing list: <http://www.claws-and-paws.com/spam-l/> The participants on spam-l will be happy to share with you the many ways spammers relay thru web and mail servers, and how to ensure (and test) that your servers can't be abused. All the pre-emptive whitelisting in the world won't help you if your machines are open relays and spammers start sending spew thru your mail servers. There are too many systems that will automatically blacklist your IPs if they start spewing actual spam, and then you will have to go one-by-one to each of them to get unblocked. It's much better to avoid the problem by not letting your machines send any spam in the first place! jc
## On 2003-06-25 21:25 -0400 Leo Bicknell typed: LB> LB> LB> * Put in the e-mail a clear, short, easy to read over the phone LB> link (http://www.yoursite.com/spam.html) Oops: this is an existing URL titled "FREE Credit Card Gateway" :-( LB> that describes what LB> action on the web site sends these e-mails, how to identify an LB> e-mail as actually coming from the site, and where to report any LB> sort of mailbombing (back to the first point). LB> LB> LB> -- Rafi
On Wed, 25 Jun 2003, Callahan, Richard M, SOLGV wrote:
Good Afternoon and forgive the new guy if I break any rules or conventions.
The old rule used to be: Thou shalt not be excessively annoying. Billions of solicited and confirmed mail messages are sent everyday with few problems. 1. Follow the old conventions. No HTML, wordwrap at 72 characters, Mixed Capitalization, clear explanation why this address (some personalization) received the message. Don't write a novel, don't fill it with lots of URLs. You should have a random nonce authenticator for the confirmation. 2. Run it through SpamAssassion. If SpamAssassion thinks its Spam, it'll will end up in the junk folder (or trash folder). 3. Make sure everything is reasonable and makes sense to an outsider such as From addresses (envelope and header), received from headers, in-addr.arpa, etc. Cleanup your ARIN and Domain registry records to accurately identify you. 4. Handle bounces. If you are sending out millions of messages, expect some percentage to bounce. Not handling bounces fills up ISP spools, annoying ISPs. 5. Remember bounces, failed attempts and non-responses. Set a reasonable limit and then require intervention before sending more mail to the same address (user, and domain to prevent dictionary attacks). One confirmation message to an address is good manners, thousands of confirmation messages is annoying. 6. Working abuse and postmaster adddresses. Someone will complain. If a person asks you to stop sending mail to their address/domain/etc, stop. You should maintain your own internal list of "do-not-mail" addresses you never send e-mail too. 7. Make sure your systems don't have any open relays, open proxies, mailfrom.cgi problems. 8. Consider using "human detection" on the web form to prevent robots from generating lots of confirmations. For example, a picture containing a few random numbers the human must read and type in. Unfortunately, this probably violates the Federal ADA rules for web sites. Expect some joker to try to seed some spamtrap addresses through your web page. It will result in some of the more extreme spam blacklisters listing you as a spammer. There is probably nothing you can do or say to change the minds of the most extreme folks. But most of the others are reasonable if you can show basic due dilgence.
participants (10)
-
Andy Dills
-
Callahan, Richard M, SOLGV
-
Eric Brunner-Williams in Portland Maine
-
JC Dill
-
Joe Abley
-
Larry Rosenman
-
Leo Bicknell
-
Rafi Sadowsky
-
Sean Donelan
-
Simon Lyall