Making Spammers Pay

Jon Larimore, president of Washington, D.C., metro Internet service provider ZZAPP!, faces the same problem every provider around the world faces — allowing access to legitimate mass-marketed email for his customers.

“Our problem is that in our attempts to comply with our subscribers’ firm desire for spam-free mailboxes, however selective the spam blocking system being used, it will tend to occasionally block advertising which is not spam,” he told internetnews.com. “From a purely pragmatic standpoint, and because we’re fulfilling our subscribers’ wishes, it really doesn’t matter much to us whether the occasional valid advertisement a subscriber actually wants to see fails to reach them.”

Larimore uses a combination of seven DNS-base black lists as well as his own list of in-house IP blocks to keep known spammers from peppering his server with millions of junk messages. His customers have repeatedly said they’d rather miss the occasional legitimate message than find spam in their inboxes.

One email gateway company has come up with a novel approach to separate spam by making them pay.

IronPort has come up with the Bonded Server program, a “white” list for Internet service providers (ISPs), carriers and Web email hosts to institute while turning up their spam filters to weed out the chaff from the wheat, so to speak.

There are three ways a server can block out unwanted emails: a black list, a white list and/or a filtering program. A black list consists of IP addresses that are barred from sending emails on to the customer; the white list does the opposite, it allows only certain IP addresses from passing through the server. A filtering program, like those developed by companies like SendMail and Postini, blocks emails by keyword, volume or any number of controls.

The problem with black lists is that they sometime net legitimate emailers. For example, if a Web host allows one of its customers to send out a million spams, many real-time black hole lists (RBLs) will put the entire IP block used by that domain on the black list, shutting out that Web host’s other customers.

Filtering programs, on the other hand, present their own set of problems. They are very effective at stopping spam at the server — sometimes too effective. E-mail marketers that blast out a million messages to their customers could trigger the volume filter, putting that email into the “bulk” email folder with the spam.

Called “false positives,” these legitimate emails likely won’t see the light of day, or get read by users who just routinely dump their bulk folder without reading any of the messages therein. Because of the outside chance one of these false positives may be a critical piece of information or a legitimate mass-market email, many companies either don’t put in a filter at all, or keep the settings low enough on the filters to make sure they don’t miss that important email.

The bonded server program, according to IronPort CEO Scott Weiss, resembles a white list, in that companies that send out email blasts through them are accepted as legitimate emailers.

The incentive for marketers to join this list is the fact that ISPs or other hosts are now free to crank up their filtering programs. When that happens, most mass emails, as well as the spam, will be sent right to the bulk folder.

The caveat to that, of course, is that marketers agree to play by the rules of the game; if they don’t, they pay. Weiss said his company is still working out the details as far as pricing, but expects it will correspond with the size of the email blasts the marketer sends out.

The trick, Weiss said, is finding a pricing point that makes it painful enough for marketers to abide by the program, without making them put up too much cash up front. Regardless of the price, though, he doesn’t expect too assess much in the way of fines.

“It’s a bit of a moron test for spammers,” Weiss said. “If there’s any money changing hands, its people testing the system because if you’re a legitimate marketer there’s no way you would sign up just to lose money and send out mail.”

Weiss said proceeds gained from these fines will be donated to non-profit, anti-spam organizations like TRUSTe.

Dave Steer, a TRUSTe spokesperson, said the IronPort approach is similar to one of their own programs, the Trusted Sender, which separates legitimate email from spam and welcomes other ideas.

“We have also been looking for other ways, including ongoing discussions with IronPort, to expand privacy protection across the network in the context of the Trusted Sender program,” he said.

The success of the bonded server program relies heavily on the participation of those companies that traffic in email — not only the major firms of the Internet world, but the thousands of ISPs and corporations that make up the bulk of email recipients.

“Once the program gets adopted by the big players, once they sign on, that’s when it really rolls out,” Weiss said. “We’ve been in active discussion with all those players; it just makes too much sense on both sides for something like this to come into play.”

But if ISPs and the rest don’t want to play, the program is dead in the water before it begins. Like a black or white list, the program only works if the host agrees to put the bonded server list on their servers. If they don’t, it doesn’t give mass email marketers any incentive to sign up for the program.

So far, reaction to the IronPort program has yielded a positive buzz among ISPs.

“I firmly support our capitalist economy, I have no problem at all with genuine “opt in” email advertising, and obviously would much prefer not to block that which our subscribers have specifically and purposely asked to receive,” ZZAPP!’s Larimore said.

IronPort recently entered the second phase of its beta tests, from 350 to 1,000 users, to run scalability and server tests on the system. Included in the second wave of testers are some of the biggest emailers in the U.S. — Nasdaq, eBay and The Motley Fool are included in this round of testing. To date, IronPort has been testing with MTV, PayPal and Warner Music, to name a few.

IronPort expects to launch the bonded server program to the public sometime in the fourth quarter.