anti-spam logo with No Entry superimposed

Anti-Spam has gone too far

I don’t generally view it as being “good business practice” to slate other companies. I have strong opinons on some of the “global providers”, which I may share in polite company. However, today I have reached the final straw. It is the straw that has broken the proverbial camels back, and I am now speaking out. I hate spam (both the physical product and the e-mail variety). We all do. But we can also protect against it. I agree that it is unlikely we will ever eliminate it (unless we build walled gardens and whitelists), but we can reduce the amount using the public lists (such as Spamhaus). Anti-spam needs to be a collaborative effort. The “Big Two” need to catch up, and play ball like most reputable providers, instead of trying to bully others into using their own systems or expensive third party solutions.

Two Up It provides an enterprise-grade range of products, service and support based on 25 years of experience in the tech sector. We are utilising functions that should be applied across the board whether in a small business or a multi-national. One of those services is e-mail, the ubiquitous service that businesses rely on every day to communicate with their suppliers and their customers, complete with a well-known anti-spam solution. Every e-mail sent from our servers (whether it’s from ourselves or a customer) is digitally signed. Messages from Two Up and all customer domains are permitted only from listed servers. We advise receiving servers to only accept messages that have a valid digital signature, and only if the message is received from our servers. We even perform anti-spam checks on outgoing messages in case of a compromise!

For a long time, Spam went unchecked. There was little we could do about it, anti-spam hadn’t been invented (the chicken/egg scenario). As time has gone on, anti-spam systems have got better at identifying legitimate messages. Not a single domain under our control – not 1 – has ever been on a “Spam Blacklist”, we follow the RFC‘s (the ‘rules of the how the internet should work’) to the letter. We utilise advanced configurations such as RFC6376 and RFC7208, which are often ignored by global organisations. Yet, as a small provider – providing for other small businesses – we are now having difficulty sending to two of the largest providers of mail services due to overly aggressive (and, indeed, hostile) anti-spam configurations.

We first noticed anti-spam problems with Google’s GMail service. They appear to have adopted the “whitelist” approach. Every message sent to a GMail account (and we’ve tested this with our own) goes to the Junk folder. When you investigate the “Original” message recieved, there are lots of nice green “PASS” notifications to say that the message is legitimate, yet it’s still sent to Junk by their anti-spam algorithms. Following the Google instructions to use “Google Postmaster” tools, we duly added all of our hosted mail-bearing domains. We ensured our domains were linked to our records on the relevant services. The Postmaster Tools site is, frankly, pointless. It notes that you will only see data when your domain is sending messages numbering hundreds a day. Some months, we won’t see a hundred messages across our entire infrastructure. All the while, our messages continue to go to Spam. Can we contact Google? Simple answer: No. We’ve filled out all the forms, jumped through all the hoops – but there’s nobody we can call for help when we’ve done so and their system is still saying our messages are Junk.

But that’s not the straw that broke the poor old camel. No. That was today, when I tried to e-mail a customer on “outlook.com”. Imagine my joy and delight when I got an almost immediate response. Not, however, from the customer. It was a message from Outlook.com’s anti-spam system to say they had refused to accept my message. Apaprently my address space has been used in an “address harvesting” attempt. Bearing in mind that the IPV4 address space is the oldest part of the public internet, and is now so disjointed that it looks more like a crazy-paving patio than the neat, ordered motorway as originally designed, I could possibly see that as having been true. Sadly, however, it’s not. The particular address space for this server is relatively small, a /29 allocation of 8 addresses, broken down from a larger /20 allocation (4094 addresses). The allocation was made just for Two Up. Now, it is possible someone elsewhere in the /20 allocation has tried this at some point (the /20 itself has had various owners around the world in the past 25 years), the simple fact is this: my allocated /29 hasn’t! Now, this is annoying, but it’s not the breaking point just yet. IP address space changes ownership frequently. Reputation should be based on content analysis and standards compliance, not what might have happened 10 years ago with an IP address.

Not only will Outlook.com refuse to accept the message, they suggest you visit a third-party reputation and certification provider. Cue “Return Path“, the previously hinted at company that require “hundreds of messages” to proide you with a reputation. They provide various subscription levels at a ridiculous cost. They really must be raking it in. Amusingly, however, they appear to have a number of “partners” with domains that are known to be a source of Spam (in fact, Google and Outlook/Hotmail have been at teh top of the Spam Source rankings many times over the years. We have had the Spamhaus project for some time, providing near real-time reports on the reputation of sending servers. They don’t analyse how many messages you send – they look out for actual spam. Return Path, however, want at least $400 to register (if you send up to 100,000 messages per month – multiple years worth of messages from the Two Up Infrastructure), and an annual subscription of $1375 per year. Daylight robbery! Frankly, this is absurd. It has to stop. It is, in my eyes, a modern pay protection racket.

If I were a major mail provider, I could set up a “reputation service” with a massive fee, and force others to pay to message my customers instead of doing proper anti-spam analysis upon receipt. In practice, this is ludicrous, and people would simply avoid my customers. Anyone should be able to message my customers, and my customers determine if a message received is Junk. Messages coming from a host on an established blacklist are handled by the anti-spam system. For both the GMail and Outlook systems, you need to build up a reputation. However, when you are a small business that’s impossible to achieve. Basically, GMail are saying “use Gmail or Outlook/Hotmail” – or (in the case of Outlook) pay a massive fee to bypass the restrictions.

GMail makes money by scanning your message content to build up a profile of you. They then use this to target adverts at you. I cannot confirm whether this is the case with Outlook.com. The price you pay to have your “free” e-mail system is your privacy. You agree to allow these third parties to invade your privacy for their service. However, these services are now dictating who can and cannot send to you? The power to do that should ultimately remain with you. GMail is half-way there. Outlook.com is, however, throwing the baby out with the bathwater.

If you would like an e-mail service that you can trust to maintain your privacy, and support you can speak to when there is a problem, why are you throwing away your privacy, sanity and reachability to a corporation who don’t care about you and your needs? If would like a secure, reliable, contactable service – contact the Two Up Team.

Leave a Comment