Thursday, December 22, 2011

email 200 - How NOT to be a Spammer

Today's blog is a follow up to email 110 - DNS - the Domain Name System


DNS (again)
Here I go harping on that DNS thing again. I can't express enough how important DNS to the high volume sender. While just understanding how it works is enough for anyone who sends and receives a few emails a day, the high volume sender needs to understand it completely. There are many things you can do with DNS that will help you be more efficient sending mail. Some of those follow here.

DKIM
Domain Keys Identified Mail is a system of "signing" a message with a fingerprint that can only be connected to you. If a receiver get's your email and it has a DKIM signature, they can look that up in DNS and use it to verify that it was really sent by you. If it was not, then they have the option of rejecting the mail or marking it as possible spam. The way this works is with a pair of cryptographic keys - one is private and the other public. The private key is used to encrypt special information from your server right into the email headers (from part 1). The public key is published in DNS so when a receiver gets your mail, they can use your public key from DNS, to decrypt the signature and verify that the mail really did come from your server.

In DNS, the DKIM entry will look something like this:
d1024._domainkey.example.com. 86400 IN TXT "v=dkim1; k=rsa; h=sha1; t=y; p=MHxwu28eddw…QaB"

When someone at example.com sends a DKIM signed email, a receiver like Yahoo will look to DNS for a "_domainkey" entry in example.com's DNS file. The public key in the "p=" part will be used to decrypt the signature. If it is successful, the mail is marked as "passed".

FBL
Feed Back Loops are best represented by the "This Is Spam" button Yahoo, Hotmail and AOL mail browsers have. A responsible high volume sender can apply for FBL status with many of the larger ISPs but they need to use a different domain name and reporting address. When an end user clicks the "This Is Spam" button, the ISP will generate a new email and send it to the domain listed in DNS. This is actually a special type of mail know as "ARF" or Abuse Reporting Format and is often processed automatically by an abuse reporting system in the sender's network. An FBL mail is NOT a bounce, it is a new email that is generated in response to an end user manually pressing a "This is Spam" button in their email reader. For this reason, you cannot normally rely on getting all of the original message back. Many ISPs will redact any personally identifying information including the email address form the returned email. A bulk sender participating an FBL program will have to use some intelligent processing to manage FBL responses.

SPF
Sender Policy Framework is similar to DKIM in the sense that an ISP can use it to validate the source of the mail. It does not use any kind of cryptographic signing, but rather lists all of the IP addresses that are associated with a mail host (MX) name. This way, a receiver can check in DNS when a mail is received and look up to see if the IP address that sent the email matches the IP addresses listed in DNS for the mail that was sent. If not, it was most likely spam and could potentially be discarded or marked as spam.

SenderID
SenderID is almost synonymous with SPF, but is a slightly different version - you can never have too much security.

WhiteListing
This is a process of simply being a good neighbour in the high volume sending community. When you request whitelisting from an ISP like Yahoo for example, you have to provide proof that you have done all the right things in DNS like SPF and DKIM. You also have to prove that you are a legitimate sender and not a spammer. When they are satisfied that you are one of the good guys, they will list your mail server IPs as "friendly" and will let mail pass though with less security checking - you become a "trusted traveler". This is not necessarily permanent and one offensive mailing can remove you from the list.

Content prescreening with Spamassassin
When an end user clicks on "This is Spam" it is an instant mark against you in the reputation battle. Some ISPs use content scanning and logic to make decisions about what may be obvious spam. These are both very good reasons for content scanning your own messages before sending. This can be done relatively easily with Spamassassin and you will get a score with detail to give you an idea of ways to improve. While no ISP actually uses Spamassassin, they all used some form of ranking that is similar. Odds are that if Spamassassin gives you a score of 10 or more, the ISP will mark it as spam and you mail may never see the inbox.

Double Opt-In vs Purchased Lists
One big factor that can really affect your reputation as a sender is the quality of the email address list you send to. While it is tempting to purchase email address lists for sending to, this can be a dangerous practice. There are some legitimate list vendors out there, but there are also those who will sell you bad lists filled with invalid addresses, spam straps (addresses that are known to be bad and watched by ISPs, and forbidden addresses. Sending mail to any of those can hurt or kill your reputation. One way to avoid that is to double opt-in your own list. First allow people to submit their email address to a web form if they want your information. Then send them a short email asking them to click a verification link if they really did ask for the information - ala double opt-in.

ESPs
One great option for people who have a lot of mail to send, but don't want to manage their own mail servers, is an ESP (Email Service Provider). ESPs can often provide safe distribution lists, FBL management, reputation management, and cost-per-message sending fees that are competitive with running your own systems at lower volumes. There are many reputable ESPs who will provide full service including whitelisting, content checking and reputation consulting. These ESPs often have good relationships with the major ISPs and can help build senders (who are not spammers) a good relationship with them.

Next time we get to the good stuff - advanced magic

No comments: