SPOTLIGHT ON… Anne Mitchell from Surety Mail

Adrian: Why don’t you tell us a little about yourself, and what you want to be when you grow up?

Anne: Well, I want to join the circus. Oh wait, I’m in the middle of a circus already.

I’m an attorney, and I hope you won’t hold that against me. I use my powers for good, honest! Prior to being involved in the e-mail community, I was a fathers’ rights attorney. I was one of the only fathers’ rights lawyers in the United States, and I did that for many years. Eventually, I burned out. When you’re constantly representing the underdog, as I was by representing only fathers, people who were good guys who were trying hard to be involved with their kids, it’s emotionally draining. In 1998, I said, “I cannot do this anymore,” and I packed up my practice.

I called up my good friend Paul Vixie whom I had not realized was the Internet guru that he was. Paul said to me, “Well, you know more about the Internet than just about any other attorney I kowl. I have this organization called MAPS, and we need someone to come in and run our legal strategy and just be our counsel because we are probably going to get sued soon. How’d you like to come work in-house for me?”

So I went in-house for MAPS, and it’s important to understand how MAPS started out. When spam started becoming a problem, which was in the mid ‘90’s, Paul created his own personal list of IP addresses that were sending him stuff that they shouldn’t have. He built that list of IP addresses into his own personal e-mail server, and it said, “Don’t accept e-mail from this IP address.” This was very reasonable; it was his own personal server,and so he didn’t have to accept email from people he didn’t know if he didn’t want to. His colleagues started getting wind of what he was doing, and they all said to him, “That’s a great idea. Can we just use your list? Because we completely trust you, we know you, and what your principles are.”

Adrian: Had there been a black list before?

Anne: To the best of my knowledge, this was where it all started. It’s certainly the first one that was used by third parties on a wide basis. It started out as Paul’s personal project and it just grew.

After I left MAPS, I helped found Habeas. They brought me in as the CEO, when they just had the kernel of the idea. The timing was just right for both of us, as I literally had left MAPS the day before when they conacted me, and there was basically no one else that I can think of who had the combination of understanding the e-mail infrastructure, understanding spam issues, having relationships with all the receivers and also having a legal background.

I was working with these receivers and starting to work more with e-mail sending companies, which I had not done as much in the past. Just as I was with dads’ rights, I once again found myself in the middle, between two absolutely opposite factions trying to negotiate between them. My forte had always been negotiating and alternative dispute resolution – as a fathers’ rights attorney negotiationg between mom and dad to help facilitate the best arrangement for both the children and the parents. I could often get them both what they wanted if I could keep them out of court. With email senders and receivers, it really came down to the same thing, and I was quickly realizing both sides wanted the same thing. The receivers had customers who wanted to receive e-mail and didn’t want it blocked as spam, but they also didn’t want to get spam. Well, guess what senders want? Legitimate senders want to have the e-mail that people want delivered, but they also don’t want to send e-mail to people who don’t want them. So what it boils down to is that both sides want to deliver email that is wanted, and don’t want to deliver (or send) email that is not wanted.

So we held what became the first E-mail Deliverability Summit. Quite literally, I strong-armed six CEOs or executive decision makers from six of the ISPs and spam filters and six from the big e-mail sending companies. I brought them down to our conference room, starting at breakfast, kept them locked in that room until the end of the day. It was amazing. Competition was checked at the door.Within the first fifteen minutes, everybody realized that nobody there had, as many put it, “horns and a tail”, and that they really wanted to and could work together to achieve their common objectives. That was June or July of 2003, and even before the word got out in the press, we had dozens of email senders and receivers calmouring to be part of another summit. It was the first time – particularly for the senders – that they had an opportunity to sit down with the people “on the other side” and talk with them, and they were hungry for it. And the email world needed it.

When I left Habeas in August, I was in the middle of planning the next E-mail Deliverability Summit. So I took that with me to ISIPP, and ISIPP sponsored what became the first national E-mail Deliverability Summit in September of that year.

Adrian: Obviously, the senders want to be there to get their mail delivered, but do the receivers really care?

Anne: They really, really do. The receivers were motivated. If they can identify email that is actually wanted, and not have to spend cycles triaging it to determine whether it’s spam, they are happy. If they can get the word out that “this is what we need you to do for us to deliver your email”, and senders can do it, then it frees up so much bandwidth and resources for the receivers. It’s kind of like law enforcement. Every time law enforcement has to deal with something that’s not really an emergency, it’s taking resources away from what could be a true life and death emergency. Similarly, ISPs are churning resources that could be better spent against dealing with really serious issues like hacking and phishing, or even with affirmative goals like vision.

Adrian: So it’s a cost side for receivers then?

Anne: Absolutely. And it’s for not just money costs but resources.

Some really incredible things came out of the summit. If you go to the http://ISIPP.com website and click on links or standards, you can see a few of them. I like to think that we laid the groundwork for other organizations to start putting industry professionals together, such as MAAWG (Messaging Anti-Abuse Working Group).

After we did the summit, several people from both the sending and receiving sides said, “You know what? We really wish that you would do e-mail accreditation because you guys are neutral. Number one, the receivers trust you, and number two, the senders know who you are. You are more of an organization that’s out there trying to get people to do the right thing than a commercial venture.” This was right around the time that anti-spam and sender assistance started to become big business. So tthat’s how SuretyMail happened. We didn’t intend to start up an email senders’ accreditation program, but we realized that we really could help, and that we were positioned perhaps better than anyone else out there for the very reasons they were saying.

Our program was unique because it was not a white list being kept; it was not reputations. I distinguish reputation from accreditation this way. Reputation is, we’re telling you these guys are good guys and so you should accept their e-mails because we say so. With accreditation, we don’t tell say you should accept their e-mails because we say so. We’re telling you they’re good guys, legitimate senders, and here are all the factual data points about what they’re doing right.

So, you’re the receiver. So I, [email protected], am sending e-mail to [email protected]. Your server notes my IP address. Lets just say it’s 64.142.124.69. If you go to any of the black lists, you’re going to say, “Do you have 64.142.124.69 in your database?” It will return either yes, no or nothing (nothing is the equivalent of a “no”). If it returns a yes, you’re going to reject my e-mail because presumably I’m a spammer. If it returns no, then you may accept it and run it through your own internal or content spam filters. With white lists, you’re going to say, “Do you have 64.142.124.69 on your list?” You’re going to get back either a yes, no or nothing. If you get back a yes, it means they’re saying, “Yeah, we have them, we’re saying they’re good people. They have a reputation with us and based on that you may deliver the e-mail.”

If you query us and say, “Hey Surety Mail, do you have 64.142.124.69 listed with you?” We send you back a yes and then we send you back a whole bunch of other stuff at the same time that tells what they’re doing that we believe demonstrates that they are a good sender. So you will get back, for example, “Yes, and they publish SPF and RDNS. All the e-mail that comes from 64.142.124.69 are double opt-in.”

Adrian: So that what’s happening then is the decisions are being made on the local filtering level, and you’re becoming another service which provides additional data?

Anne: For those who use it that way, that’s exactly right. Our system provides them with lots of factual data which demonstrates the good quality of the sender’s email in a way that just saying “yeah, we like them” can’t.

However some receivers, most particularly ISPs with very large infrastructures – that are often cobbled together from smaller regional ISPs they have acquired, so they have lots of antiquated infranstructure in place – they actually still either prefer to use or can only use a single response – “yes, it’s here.” The “yes it’s here” response to a DNS query traditionally takes the form of a response of an IP address of 127.0.0.1 or 127.0.0.2 being sent back to you in response to your query. Here’s how you can test this: go to a shell prompt on your Internet-connected computer and type “nslookup 1.1.168.192.iadb.isipp.com”. You’ll get back a response which includes both 127.0.0.1 and 127.0.0.2.

So for those ISPs which still need the traditional single data point response, we created a scored system that returned still just one ‘yes’ response, like for an older traditional style black list and white list, but with a twist. Where 127.0.0.1 is the typical response, the last octet of the IP address, instead of being ”1”, it is “10” through whatever, and the higher the number the better. The higher the number, the more the sender is doing “right” to distinguish themselves from spammers, and to establish themselves as good senders.

I’m going to have to start giving you database names, or it’s going to get very confusing. The original one is called the IADB, which stands for ISIPP Accreditation Database. IADB is the one that when you query, it tells you individual data points. So you give it one IP address, and you get back maybe ten different data response codes. With IADB2, instead of being the ten different discrete data points, you get back just one score based on those data points. Then the receivers who use IADB2 can choose at what level of score they want to start delivering email from the sender without running it through other spam filter tests.

Adrian: Just on the receiver’s side, when they’re receiving all this mail, I mean they’re getting millions of messages. I assume that there’s enough network power to handle the look up when receiving every single e-mail?

Anne: Well there is, but also if they’re really big, they transfer the zone (the data in the database) and use it internally. So they’re doing look ups on their side. A DNS zone is basically a text file on the server that has all the IP address information. When someone does a DNS query to your zone, that’s when they’re asking that database – is this IP address in that file, and what’s the data associated with it?

Now in those zones, there is something which alerts querieres whenever a change is made to that zone , like a new IP address is added or removed. There’s an area at the top of the zone that’s SOA and all that stuff, and there’s a serial number which actually tells the world – “This is the last time this zone had a change made to it.” So ISPs that transfer zones, they just check every so often and if the serial numbers changed, that tells them – oh, the zone is different now, grab it again.

One of the things that we pride ourselves on is being very flexible and working with both the receivers and senders to implement things which they ask for. Our ISIPP Domains Database (IDDB) is a good example of that. We had some senders come to us and ask us to create a zone which, instead of having their IP addresses in it, had their domains and subdomains in it.

Now, what we recommended to email service providers (ESPs) is that whenever possible they should give each one of their customers their own IP address, and that way if someone brings in a dirty list, other customers aren’t going to have their email deliverability impacted by the actions of one clueless or renegade customer. However, these senders that came to us said “We’re already set up and we can’t quickly change like that, but here’s how we do our internal accounting. We may service ten of our marketing customers on one IP address but we give each of them a unique sub domain, so that’s how we’re able to track.”

Now of course, like us, all of the other services out there are set up to handle a query based on an IP address, not a domain or sub domain.. So what they said to us was, “What we really want is someone to develop a database that’s by domain and sub domain because we want to take responsibility for the mail that we send.”

Let’s say for example that ESP.com does a huge amount of sending for customers, and so it might be that they have customer A, customer B and customer C. Customer A,’s mail gets sent out through CustomerA.ESP.com. Customer B’s mail gets out through CustomerB.ESP.com and so on. Okay, but they’re all coming through the same IP address. So if customer B brings in a dirty list, suddenly customers A and C are also impacted. Well in a traditional IP look up, the receiver is going to see is that IP address is registered to ESP.com, but they’re getting e-mail from Customer A.ESPcom. So that isn’t really a f helpful look up.

So we put up the new database, and it was very easy to do. It’s called the IDDB, ISIPP domain database, and that’s included as part of the service. So when you’re accredited with us, you’re automatically listed in there if you want to be, at no extra charge.

Adrian: Very interesting. So on to another topic – what is your opinion of Spam Haus?

Anne: When you ask me my opinion of any of these lists, I can only give you my opinion of the principles that are running them. I know Steve Linford to be a very principled person. I know that there have been a lot of legitimate senders who have had problems with being listed on Spamhaus. I can honestly say that based on the principles under which Spamhaus lists people that I have never seen much mistake Spamhaus. Now whether or not you agree with their guiding principles is another matter, but Spamhaus is certainly considered one of the more un-renegade, coolheaded of the lists out there.

Adrian: When services do list, what do you think about collateral listings? So we’ve got an IP address that’s sending mail and that’s BadGuysMail.com, and we also know that BadGuys.com is another IP address that’s near by that’s not sending mail. Would you blacklist that one as well or what are general policies on black lists and what do you think about that?

Anne: We’re opposed to collateral damage which is intentionally imposed. And more and more, large receivers will not use a black list with a collateral damage policy, at least not use it as their final arbiter of do they accept the mail or notThe reason that blacklists do collateral listing is to really put the pinch on whomever owns that block to make them get rid of the spammer.

Adrian: I wanted to talk about your e-book, “The Email Deliverability Handbook: Getting Legitimate Email Delivered in a Spam-Filtered World” because I liked everything in your e-book, except for the section on affiliate marketing. And to me, affiliate marketing is one of the principal methods of commerce on the Internet. And I’ve had conversations with Spamhaus in the past and Spamhaus has told me that affiliate marketing is wrong. I’m really interested to understand your point of view now?

Anne: First, thank you for the kind remarks about my book. I really appreciate it,a nd it means a lot coming from you.

With respect to affiliate marketing, I don’t think it’s wrong. However, it can be extremely problematic. I personally helped to author the McCain Amendment to CANSPAM, which is the one that allows people to go affiliate programs that knowingly and intentionally benefit from spamming. Those programs ruin affiliate marketing and programs for everybody. . A lot of spam goes out in the name of affiliate marketing, and it makes it really difficult for those who are running legitimate affiliate programs – and who have strong anti-spam policies which they enforce. But we love affiliate programs that do it right, and we have several as customers.

Up until the point that CANSPAM was passed with the McCain Amendment, even big companies and certainly more fly-by-night ones, if you went to them and said, “Hey, this spam advertising your product came into our mailbox, here it is.” They would say, “Well guess what? We didn’t send that, our affiliate did. So go pound salt, because you can’t touch us.” But now, if they know that their affiliates are spamming, and don’t do anything about it, they are on the hook. And I cannot emphasize strongly enough that you have to know that your affiliates are spamming and do nothing about it and be making money from it in order for this law to come into play. So legimate affiliate programs with genuine anti-spam policies which they enforce have nothing to worry about. We were very careful to write it that way so that we could go after the bad ones, and leave the playing field more level for the good ones.

Adrian: I’m not sure we completely agree on this point, but lets move on to another topic! Does CANSPAM actually require an opt-in?

Anne: That’s an interesting question. It depends on so many different things, but from a legal standpoint and an e-mail deliverability standpoint, it makes sense to have opt-ins.

Adrian: So then to that next step, confirmed opt-in, which is what Spamhaus and some others want. Where are you on that?

Anne: I think it’s absolutely the gold standard and that whenever possible you should do it.

Adrian: Sure. One of the things that I know happens sometimes is an ISP will sit and give you fake bounces. They’ll say that it is a bounce when, and a hard bounce, even when it isn’t. What’s your opinion on that kind of thing?

Anne: I think it’s very poor. I say that if senders are going to be held to a standard, then the receivers also have to be held to the equivalent standard. If the senders are expected to sideline hard bounced addresses, then the receivers have to always send hard bounces when it really is the case.

Adrian: Anne, thank you so much for your time.

Anne: And, Adrian, thank you for inviting me to sit for this interview, and for your kind remarks about the book! If your readers would like to purchase it, or to find out more about our SuretyMail email senders accreditation service, they can find it all at http://www.ISIPP.com.

If you’d like to be interviewed by Adrian, sign up for his newsletter here: http://AdriansTips.com, and reply to the first message you get to contact him directly.