Major E-mail Delivery for FTC DNCR Launch

Good Afternoon
     and forgive the new guy if I break any rules or conventions.

I work for AT&T Government Solutions and we are about to launch the Do Not Call Registry for the Federal Trade Commission. At a high level this allows consumers to register their phone numbers to keep most telemarketers from calling their homes. Penalties for calling a consumer on the list can be $11K per call and enforcement begins in October.

We are launching consumer registrations on Friday. My concern:

- every registration using the web generates an email which must be opened to complete the registration process

We are looking at the potential of MILLIONS OF EMAILS PER DAY beginning Friday. These will be from the same address and have the same subject line.

I am worried about denial of service or blocking by spam filters if providers are not aware this is coming.

I am hoping this group is a good medium to get the word out to inform the community of this impending event.

At this time I am unable to provide the link or email address, but will do so on Thursday evening if it is of value.

Any thoughts?

Richard M. Callahan
Client Business Manager
AT&T Government Solutions
Office: (703)506-5780
Mobile: (703)608-0665
Fax: (703)245-3749

Good Afternoon
     and forgive the new guy if I break any rules or conventions.

I work for AT&T Government Solutions and we are about to launch the Do
Not Call Registry for the Federal Trade Commission. At a high level
this allows consumers to register their phone numbers to keep most
telemarketers from calling their homes. Penalties for calling a
consumer on the list can be $11K per call and enforcement begins in
October.

And we thank you for it. If only you could apply this approach to spam...

We are launching consumer registrations on Friday. My concern:

- every registration using the web generates an email which must be
opened to complete the registration process

We are looking at the potential of MILLIONS OF EMAILS PER DAY beginning
Friday. These will be from the same address and have the same subject
line.

I am worried about denial of service or blocking by spam filters if
providers are not aware this is coming.

I am hoping this group is a good medium to get the word out to inform
the community of this impending event.

At this time I am unable to provide the link or email address, but will
do so on Thursday evening if it is of value.

Any thoughts?

Posting to the news.admin.net-abuse.email newsgroup would definitely be a
good idea. The worst bunch to deal with is the SPEWS crew, and that's
their only contact method.

However, you don't really run too much risk; we provide co-location
services for an organization that does large opt-in only mailings
(financial services newsletters, catalogs, etc). They get almost NO
complaints, which is absolutely amazing considering the amount of mail
they send out. The complaints they do get are swiftly met with proof of
opt-in, which you guys will obviously have. They haven't had problems with
blacklists, and have been in business for several years.

If you were to provide evidence of the request in the email that you send
out, and considering that this is basically an anti-phone-spam service,
I'm willing to wager your complaint rate will be very minimal, especially
if the email arrives quickly after the request for processing.

Andy

One of my system admins passed the following, and he does have a point:

You might pass back:

The range of IP addresses that this stuff will be coming from, along
with an assurance that only these mails will be coming from these
servers would allow us to whitelist those addresses.

* Make sure repeated attempts to register the same e-mail address
  get throttled. Don't make the web server a way to e-mail bomb
  people.

* Put in the e-mail a clear, short, easy to read over the phone
  link (http://www.yoursite.com/spam.html) that describes what
  action on the web site sends these e-mails, how to identify an
  e-mail as actually coming from the site, and where to report any
  sort of mailbombing (back to the first point).

* Make sure your mail servers are squeeky clean. Forward and
  reverse match, valid MX's, they report their own name in SMTP
  headers, no "untrusted sender used -f", etc. Valid abuse@
  for the machine name, and the parent domain are essential.
  Valid contacts for the domain and IP block are helpful.

In general this sounds like a low-risk activity, as described.

Except possibly don't use the word "spam", or anything else that is liable to trip SpamAssassin and friends into giving your messages a high score (so references to abdominal anatomy and cable tv decoders are also probably unwise :).

I'm frequently surprised that more people don't run their (legitimate, opt-in, whatever) bulk mail through SpamAssassin before they send it in order to see how spam-like it looks. I'm forever having to pick itineraries and electronic tickets from airlines out of my spam folder.

Joe

Leo Bicknell wrote:

* Make sure your mail servers are squeeky clean. Forward and
  reverse match, valid MX's, they report their own name in SMTP
  headers, no "untrusted sender used -f", etc. Valid abuse@
  for the machine name, and the parent domain are essential.
  Valid contacts for the domain and IP block are helpful.

In addition to having all the above properly setup so that your mail servers appear squeekly clean from the outside, make sure they ARE squeeky clean - on the inside. You may wish to raise this issue on the spam-l mailing list:

<http://www.claws-and-paws.com/spam-l/>

The participants on spam-l will be happy to share with you the many ways spammers relay thru web and mail servers, and how to ensure (and test) that your servers can't be abused. All the pre-emptive whitelisting in the world won't help you if your machines are open relays and spammers start sending spew thru your mail servers. There are too many systems that will automatically blacklist your IPs if they start spewing actual spam, and then you will have to go one-by-one to each of them to get unblocked. It's much better to avoid the problem by not letting your machines send any spam in the first place!

jc

## On 2003-06-25 21:25 -0400 Leo Bicknell typed:

* Put in the e-mail a clear, short, easy to read over the phone
  link (http://www.yoursite.com/spam.html)

Oops: this is an existing URL titled "FREE Credit Card Gateway"

The old rule used to be: Thou shalt not be excessively annoying.

Billions of solicited and confirmed mail messages are sent everyday
with few problems.

1. Follow the old conventions. No HTML, wordwrap at 72 characters,
Mixed Capitalization, clear explanation why this address (some
personalization) received the message. Don't write a novel, don't
fill it with lots of URLs. You should have a random nonce authenticator
for the confirmation.

2. Run it through SpamAssassion. If SpamAssassion thinks its Spam, it'll
will end up in the junk folder (or trash folder).

3. Make sure everything is reasonable and makes sense to an outsider such
as From addresses (envelope and header), received from headers, in-addr.arpa,
etc. Cleanup your ARIN and Domain registry records to accurately identify
you.

4. Handle bounces. If you are sending out millions of messages, expect
some percentage to bounce. Not handling bounces fills up ISP spools,
annoying ISPs.

5. Remember bounces, failed attempts and non-responses. Set a reasonable
limit and then require intervention before sending more mail to the same
address (user, and domain to prevent dictionary attacks). One confirmation
message to an address is good manners, thousands of confirmation messages
is annoying.

6. Working abuse and postmaster adddresses. Someone will complain. If
a person asks you to stop sending mail to their address/domain/etc, stop.
You should maintain your own internal list of "do-not-mail" addresses you
never send e-mail too.

7. Make sure your systems don't have any open relays, open proxies,
mailfrom.cgi problems.

8. Consider using "human detection" on the web form to prevent robots from
generating lots of confirmations. For example, a picture containing a few
random numbers the human must read and type in. Unfortunately, this
probably violates the Federal ADA rules for web sites.

Expect some joker to try to seed some spamtrap addresses through your
web page. It will result in some of the more extreme spam blacklisters
listing you as a spammer. There is probably nothing you can do or say
to change the minds of the most extreme folks. But most of the others
are reasonable if you can show basic due dilgence.