[Politech logo]

Politech is the oldest Internet resource devoted to politics and technology. Launched in 1994 by Declan McCullagh, the mailing list has chronicled the growing intersection of law, culture, technology, and politics. Since 2000, so has the Politech web site.

More on Downsize DC and its problems with AOL blacklisting

L.S. points out that a blog comment shows that downsizedc.org has some 
problems including not accepting postmaster email, a technical 
requirement for any mail server:
http://www.downsizedc.org/blog/2007/feb/05/whipped_by_aol#comment-366

Previous Politech message:
http://www.politechbot.com/2007/02/05/libertarian-group-downsize/

-Declan

-------- Original Message --------
Subject: Re: [Politech] Libertarian group "Downsize DC" gets blacklisted 
by AOL [fs]
Date: Mon, 5 Feb 2007 17:24:55 -0600
From: Al Iverson <aliversonchicago@gmail.com>
To: declan@well.com
References: <45C7B1F2.9000301@well.com>	 
<54709c090702051502s2b77f0b7tc4cd10d773ecb645@mail.gmail.com>

Please post this to Politech if you feel appropriate.

 > ---------- Forwarded message ----------
 > From: Declan McCullagh <declan@well.com>
 > Date: Feb 5, 2007 4:38 PM
 > Subject: [Politech] Libertarian group "Downsize DC" gets blacklisted 
by AOL [fs]
 > To: politech@politechbot.com
 >
 > Jim Babka, the president of the Downsize DC Foundation, added this to
 > the below blog entry in email today:

Declan,

I'm not convinced there's some big conspiracy to prevent political
groups from emailing to AOL. I, and many others, deal with AOL
regularly and find that when they say our DNS is broken, it's because
the DNS is broken.

Also, there might be a reason that we keep seeing the "AOL is mean"
press releases from the various political groups: My theory is that
it's because these groups are way better at putting out press releases
than managing email.

I think this theory is supported by the fact that Downside DC ran into
issues after relaying spam via a compromised script. Fixed "almost
instantly," probably after relaying gobs of spam to innocent AOL
users. He talks about how they wouldn't tell him what the compromised
script was -- they don't necessarily know. They just see the output
(spam) on the other end. They also gave him more information than many
other ISPs give many other senders.

None of the problems these groups keep raising are new. None of them
are specific to their mail, none of them are specific to Goodmail, and
it gets tiring to hear about the giant AOL email conspiracy, tiring of
hearing about the AOL email tax, etc., etc., when thousands of senders
and sending millions of legitimate mails into AOL with regular
success.

The only other specific point I want to reply to regarding Downsize DC
is regarding feedback loops. He heard that they are "worthless." This
is not true. Receiving an ISP to mailing list owner feedback loop is a
vitally important step to determine who is reporting your mail as spam
and getting them off your list so they stop damaging your email
reputation. If you don't get the feedback loop, you don't get
information about who is complaining about your mail, and spam
complaints never go down, because you keep annoying those people over
and over.

Someone at another ISP, who is not a list manager, wouldn't understand
that. ISP to ISP feedback loops may contain the same data, but what
the data is used for is quite different.

Dealing with AOL on issues like these is actually not as hard as it is
being portrayed to be. On January 25th, I published a how-to guide on
my website. I hope others find it useful.

http://www.spamresource.com/2007/01/how-to-deliver-mail-to-aol.html

Regards,
Al Iverson
-- 
Al Iverson on Spam and Deliverabilty, see http://www.spamresource.com





-------- Original Message --------
Subject: Re: [Politech] Libertarian group "Downsize DC" gets 
blacklisted by AOL	[fs]
Date: Tue, 06 Feb 2007 08:01:10 +0530
From: Suresh Ramasubramanian <suresh@hserus.net>
Organization: -ENOENT
To: Declan McCullagh <declan@well.com>
References: <45C7B1F2.9000301@well.com>

Declan McCullagh wrote:

 > Note this doesn't seem the same thing as what we talked about last month
 > -- in this case, a legitimate organization has a temporary security
 > hiccup and, months later, is still blacklisted.

You sure its temporary, Declan?

 > compromised script, but the November Tell-a-friend hack was our first
 > appearance on the AOL blacklist and we've had problems with that company
 > ever since. We've been in a kind of "off and on" situation with them --

They were blocked by AOL in november due to a compromised script. And
then they've been blocked off and on .. chances are they do have another
script or two that are just as insecure as whatever script they had that
led to it being hacked, spam being sent out of it.

Two ways to go.

1. Blog about it (which does tend to have zero effect)

2. Ask AOL what the issue is, get the issue fixed.

So looks like they did #2 and have had quite a run around with AOL's
staff for some reason.  [reverse dns can timeout or be unavailable for
some reason like dns latency at their ISP, for example]

 > On top of that, after this most recent blacklisting, our programmer set
 > up a "feedback loop" with AOL. That's a recommended procedure. However,
 > another ISP manager we spoke to said he has one of these for his company
 > as well, but has found it to be "useless."

That's strange because there's broad consensus - among ISPs, large email
senders of every stripe (ranging from political campaigns to marketing)
etc that feedback loops are quite useful.  Especially in the case of a
list - if you get an email reported as spam, and its a list that you are
sending out, dont dismiss it as useless, unsubscribe the user. Simple

 > Metaphorically speaking, somewhere along the way, someone at AOL decided
 > that their customers want the mail delivery person to read all of their
 > mail, sift out the stuff they wouldn't be interested in, and deliver the
 > rest. Internet Service Providers (ISP -- i.e., like AOL, Earthlink, Road

This is tinfoil hattery taken to the extreme.  "Read all their email"?
For over a 100 million users?  We've just got 40 million ++ users and
we're about a third of AOL's size, or so.  There ain't enough staff in
the world to "read all AOL users' mail and forward it on", trust me.

	srs





-------- Original Message --------
Subject: Re: [Politech] Libertarian group "Downsize DC" gets blacklisted 
by AOL [fs]
Date: Mon, 5 Feb 2007 15:10:32 -0800
From: Tom Collins <tom@tomlogic.com>
To: Declan McCullagh <declan@well.com>
References: <45C7B1F2.9000301@well.com>

On Feb 5, 2007, at 2:38 PM, Declan McCullagh wrote:
 > On top of that, after this most recent blacklisting, our programmer
 > set up a "feedback loop" with AOL. That's a recommended procedure.
 > However, another ISP manager we spoke to said he has one of these
 > for his company as well, but has found it to be "useless."

Declan,

I've been running a small hosting server for 8+ years now, and I have
to disagree with AOL's feedback loop being "useless".  It's perhaps
one of the best ways to learn that a user has installed an insecure
formmail script which is now being abused by spammers.  If any of
your customers run mailing lists and are adding AOL users without
your permission, you'll know about it.

On the down side, I have to deal with AOL spam complaints for
legitimate lists that I know the users have requested.  In the end
though, it's better to know when AOL users are complaining that mail
from your IP is spam.

-Tom






-------- Original Message --------
Subject: Re: [Politech] Libertarian group "Downsize DC" gets blacklisted 
by AOL [fs]
Date: Mon, 5 Feb 2007 19:39:56 -0500
From: Rich Kulawiec <rsk@gsp.org>
To: Jim Babka <jimbabka@downsizedc.org>
CC: Declan McCullagh <declan@well.com>
References: <45C7B1F2.9000301@well.com>

 > "The last couple of weeks have been a nightmare. Why? Because America
 > Online (AOL) has blacklisted us.

And you don't have an AOL feedback loop set up.

The AOL feedback loop is invaluable.  Don't believe whoever told
you it wasn't.  I've set them up not just for myself, but for
every client running mailing lists and/or *forwarding* mail
(note, not delivering, forwarding) to AOL.

Let me tell you why you want one, and why your problem may very well
NOT be AOL -- but your own subscribers.  (And possibly some lesser
procedural errors that you've made, but I'll get to that.)

I run quite a few mailing lists, and have for many years.  Like everyone
else who does so, and who has an AOL feedback loop in place, I see a
constant low-level stream of reports from AOL about perfectly ordinary
mailing list traffic marked as spam *BY THE USERS*, that is, by the people
who are on the mailing list and are reading it via their AOL accounts.

This is because AOL presents it to them using an interface that has
various message operations on it -- "save", "delete", whatever -- and
"report as spam".  And users being users, they are not always as careful
as we might hope.  And some of them will hit that button -- in fact, some
of them will hit that button repeatedly on sequential list messages.

Thus reporting them to AOL as spam.

They will do this even after you repeatedly ask them not to.   They
will do this even after you point out things like, oh, that if they
want to unsubscribe, the instructions are in the footer of every
list message.  They will do this even after you threaten to remove
every AOL user from the list for a while.  They will do this.

Which is why you need a feedback loop.

AOL has been (and correctly so) tight-lipped about just how they
combine this information with other information (such as: overall
message volume from the source, which could be used to compute a
percentage-marked-as-spam) but it appears that if enough recipients hit
that button often enough, then eventually something will happen --
closer scrutiny, graylisting, blocking, something.

Your users are hitting that button.  I guarantee it.  I can say this
because your stated number of AOL subscribers is large enough that I can
apply experience gleaned from similar populations.  Even on mailing lists
with just ~25 AOL users, some have hit that button.  (You say you
have ~3000 users at AOL -- so I have no problem telling that your users
are hitting that button.  Probably fairly often.)

If you had a feedback loop set up, you'd know how often they were doing
so.  And you could use any of several techniques to identify which ones,
and then decide what to do about them.  (unsubscribe them, warn them,
unsubscribe them and ban them, whatever you like, including "nothing")

Now...I'm not a major fan of this tactic on AOL's part.  And like others,
I've asked them to take some steps to mitigate the false positives that
are being generated by their users.  And I have reason to believe that
they have been continuously working to improve it.

But the bottom line is that it's their choice to offer this feature,
and their customers' choice to use it -- including "to use it
capriciously and without really thinking about what they're doing".

So the first thing you need to do once you're off their blacklist this
time, is set up that feedback loop and *pay attention* to what it tells
you.  (Keep in mind: AOL is not the only place where your messages are
being scrutinized.  They're just one of the few are generous enough
to share some of that process with you *for free*.  You should take
advantage of the offer, because it will, if used properly, also enable
you to avoid similar problems elsewhere.  It's possible you already
have some of those, by the way.  They just may not be as obvious yet.)

So be prepared for the possible unpleasant reality that your own
subscribers may be the underlying cause of your problems.  I've
seen it, multiple times.  (And yes, in situations where the
proximate cause appeared to be something else.  Sound familiar?)

 > On top of that, anyone attempting to sign up with our system using an
 > AOL or AOL-related address couldn't confirm their registration.

It's good that you have a registration confirmation process -- I just
tested it, and appears to correctly implement a confirmed opt-in
procedure (good)  But it's bad that it requires confirmation via the web.
You *should* be offering confirmation (as well as subscribe/unsubscribe
functionality) via email, for a number of reasons.  (Briefly: because
it's a *mailing list*, because of RFC 2142, because it's been a best
practice for decades, because all sane mailing list management s/w
already has this built in, and because it avoids forcing users to use
a second piece of software to do what is easily accomplished with one.)

So my advice is to set up RFC 2142 addresses for any/all lists you operate,
and to incorporate headers that comply with RFC 2369 and RFC 2919.
One easy way to do this is to use a mailing list manager like Mailman
(www.list.org) which has all of this built into it.  (In fact, I highly
recommend that you dump what you're using now and use Mailman.)

Ah, and I referred to procedural errors above: if you're not doing all
these things, then users *may* resort to thumping on the "report as spam"
button because you're not providing them with the standard mechanisms for
doing things like unsubscribing.  There's no way to know that for certain,
but since it's easy to avoid this problem entirely and alleviate the risk
(and do it using free software), it'd be silly not to.

---Rsk





-------- Original Message --------
Subject: Re: [Politech] Libertarian group "Downsize DC" gets blacklisted 
by AOL[fs]
Date: Mon, 05 Feb 2007 18:29:31 -0500
From: rafonda <rafonda@webworkz.com>
To: Declan McCullagh <declan@well.com>
References: <45C7B1F2.9000301@well.com>

The question that occurs to me is, WHY would anyone use AOL in the first
place?

RAF





Date: Mon, 5 Feb 2007 21:13:39 -0800
From: Scott Jordan <scott_c_jordan@yahoo.com>
To: 'Declan McCullagh' <declan@well.com>
References: <45C7B1F2.9000301@well.com>

Declan,

Having one's political opponents blacklisted by anti-spam filters became
quite the sport in the 2002 election cycle here in the U.S.  People would
sign up for a group's or pundit's emails, then gleefully hit the "abuse"
button once they arrived.  The obedient spam filter would soon block
delivery of any email from that source, sometimes (as in the case of AOL)
rejecting emails that even contained a URL pointing to a source on its
blacklist.

I tested this extensively a couple years ago and found that, impressively,
AOL's filter seemed to even parse tinyurl.com and shorl.com redirects,
detecting the Verbotensource and blocking delivery.

AOL was by far the worst, but all spam filters (even client-based ones) have
similar problems.  Many share blacklists, so once a source has been deemed
offensive by a threshhold number of "complaints" for one spam filter, users
of other spam filters would see the content blocked, too.

Compounding the problem is that the vast majority of email users have no
idea what's going on or what to do about it.  Spam folders go uninspected,
in part because they're cumbersome and daunting.  Whitelists go unused,
mostly because they're limited and inaccessible.

It's a serious problem.  I'm no fan of the death penalty but make an
exception for spammers... and those who abuse spam filtering to censor the
opinions of those they oppose.

My sympathies go out to the Downsize DC Foundation.  I wish them well, but
AOL is a tough nut to crack, as they're finding.  And while there are other
ways to get on a spam filter's radar-screen, the possibility that a
political opponent has purposely blacklisted them should not be rejected
today.

Best,

--Scott Jordan
   San Jose




[Contrary to Karl's suggestion, I don't believe that Downsize DC has in 
any way called for regulatory action. I expect they'd oppose it on 
principle. It's possible to complain about a corporation's actions 
without calling for government regulation... --Declan]

-------- Original Message --------
Subject: Re: [Politech] Libertarian group "Downsize DC" gets 
blacklisted by AOL	[fs]
Date: Mon, 05 Feb 2007 15:40:27 -0800
From: Karl Auerbach <karl@cavebear.com>
To: Declan McCullagh <declan@well.com>
References: <45C7B1F2.9000301@well.com>

Declan McCullagh wrote:
 > Jim Babka, the president of the Downsize DC Foundation, added this to
 > the below blog entry in email today:
 >
 > "The last couple of weeks have been a nightmare. Why? Because America
 > Online (AOL) has blacklisted us.
 > The result  ...

One might find it ironic that a group that advocates small government is
emitting what could be construed as a cry for some form of regulatory 
action
over the internet in order to protect itself from the choices made by 
other,
larger businesses.

One of the reasons we have such a huge administrative apparatus, not to 
mention
a protected civil service, is because of the problems that occurred in 
the late
1800's and early 1900s.  I think we all can agree that we overshot the 
mark and
that we have too much apparatus today.  However, there still is a 
legitimate
need for some such mechanisms - we can debate the amount.

What I see as a more corrosive development is the transfer of governmental
powers from agencies that are clearly governmental and arguably under the
control of elected officials that react to public pressure to agencies 
that are
private and responsive only to a very limited constituency.  ICANN being 
one
such example.

		--karl--



Posted by Declan McCullagh on Feb 05, 2007 in category free-speech


Get a Politech feed through RSS or Atom [RSS] [Atom]

The Politech general information pages and photographs are copyrighted by Declan McCullagh. Original posts distributed to the mailing list are licensed under a Creative Commons License.
Creative Commons License