The bill's sponsors apparently assume that e-mail messages work enough like phone calls that whatever they do to make phone numbers portable can work the same way for mail. Unfortunately, they're wrong.

Every time you make a phone call, software in the phone system checks to see if the number you're calling has been ported. Since phone numbers are geographically assigned, there is a shared porting database for each calling area in which the calling switch looks up the dialed number (DN) to get the routing number (RN). If the number hasn't been ported the DN is the same as the RN, but if it has, RN is a number assigned to the switch to which the number has been ported. Then the call is routed based on the RN, but it also sends along the DN so the target switch knows who the call is for. The shared databases are run by a neutral party (Neustar in the US) and every telco pays to support it. The system was designed this way so that numbers that have been ported away don't put an extra load on the "donor" system from which it was ported.

Email doesn't work like that. There is a DNS lookup for the domain name, the part of the address after the @ sign. but all mail within the same domain is routed to the same place. For the small minority of Internet users who have their own domains, they can change the domain's DNS records to change where the mail goes, but for users who get their addresses from their ISP or their employer, it's tied to the ISP or the employer. You can imagine a system in which every mail delivery did a DNS lookup of the e-mail address first, but that's not how the mail system works.

But since this is a government mandate, is there any way to make this sort of work?

There were two other approaches for phone number portability proposed and discarded, call release and call forwarding. In call release, the call first goes to the original switch, which sends back a status message saying the number has been ported to another switch, and the calling switch then reconnects to the other switch. Call forwarding should be familiar to everyone--the called switch places a call to the real destination switch and connects the incoming call to it.

E-mail has analogs to both of these. For something like call release, the SMTP standard has always had a status code that a recipient system can send back to a sending system to say that the recipient has moved, and giving a new address. As far as anyone can tell, nobody has ever used that code, but it's there if anyone wants to give it a try. Mail forwarding, on the other hand, is very common.

The least awful way I can think of to make something like this work for email is that the user's new provider can contact the old provider on the user's behalf, and request the address be forwarded. So long as it's forwarded, the new provider pays the old one a modest monthly fee, mostly to give the providers an incentive to cancel the forward when the user leaves. The fees would probably net out in most cases so the costs would be mostly administrative.

Mechanically, that kind of setup would not be very hard. Administratively, it would be a nightmare. If the forwarded mail starts to bounce are they allowed to turn it off? Does the old provider do its usual spam filtering? (What if the user left because the filtering was lousy and lost a lot of real mail?)

Another possibility would be for the old provider to keep mail accounts active even though the account is otherwise turned off, and let people pick up mail from its mail server. This is surprisingly common now, often by accident. For example, I cancelled my BT broadband account in July when I left England, but the associated mail account still works, seven months later. Mechanically this still isn't hard, but if it's a required service, now each ISP now has a permanent obligation to provide mail service to people from whom they no longer get any income, and with whom they have no other relationship. How do they know when to turn off the mail? If the user doesn't pick up the mail for a month? Six months? A year?

So my main advice is to forget it, since there's little evidence that this is a service so important it needs to be mandated. On the other hand, ISPs might find a small new income stream by selling forwarding service, like many post offices do. If the user is willing to pay $20/yr, that'd probably cover the cost of keeping a mailbox open, and would solve the problem without having to invent new rules and mechanisms.

Written by John Levine, Author, Consultant & Speaker

While many users own a free email account, many in Israel still make use of their ISP's email service.

According to this proposed bill, when a client transfers to a different ISP the email address will optionally be his to take along, "just like" mobile providers do today with phone numbers.

This new legislation makes little technological sense, and will certainly be a mess to handle operationally as well as beurocratically, but it certainly is interesting, and at least the notion is beautiful.

The proposed bill can be found here [Doc, Hebrew]:
http://my.ynet.co.il/pic/computers/22022010/mail.doc

Linked to from this ynet (leading Israeli news site) story, here:
http://www.ynet.co.il/articles/0,7340,L-3852744,00.html

Written by Gadi Evron, Security Strategist

No one can have failed to notice that the last IPv4 address will soon be allocated. We have lived with a shortage of addresses for 15 years, but when the last address is allocated, the shortage will become acute, instead of just a pain, as it is today. There is much to read on http://www.ipv6forum.se and http://www.ipv6actnow.org/.

In The Hitchhiker's Guide to the Galaxy, Douglas Adams describes the least expensive and most effective method for making something invisible. You simply decide that it is Someone Else's Problem or SEP, if you abbreviate. This is an approach that is frighteningly similar to the Swedish public sector's view of the address shortage on the Internet. "It is not our problem—if we ignore it, it will probably go away."

The only reasonable solution for the long term is currently called IPv6, a technology that has been available for many years but which few have begun to use. We wondered a bit about how well the Swedish public sector is prepared for IPv6. We talked to a person who works with IT procurement, who said that he was not aware of a single procurement in recent years that required support for IPv6. One can wonder why this is so. One explanation is that the Legal, Financial and Administrative Services Agency, which currently handles procurement for the public sector, has not completed its procurement requirements, since the E-Delegation's study "Strategy for the authorities' work with e-administration" (SOU 2009:86) is still being circulated for comment. Hopefully, but far from certainly, this study will clearly indicate the need for IPv6 and other technologies as a basic requirement to ensure a stable and accessible Internet also in the future!

We have several proposals for the Swedish public sector that we hope they will adopt - not to be caught unprepared the day the Internet as we know it changes drastically.

Demand IPv6 from your Internet supplier

According to a study in October 2009, only 15 percent of Sweden's Internet suppliers are able to provide IPv6 (source). Those who cannot do so should be disqualified in an automated procurement, and as customers, you must put pressure on them by demanding that they activate IPv6 directly at installation. Do not let them get away with vague promises of "in the autumn!" If they cannot support IPv6 now, they have no place in the market.

There are also suppliers that state that they are able to support IPv6, but a critical examination reveals that it is not as easy as they promise! So demand references for the same connection type and geographic area before signing any contracts. A good example is Telia, which needed about four months from order to delivery of IPv6. And they are not even able to deliver native IPv6, but only tunnels.

Make sure that all equipment and system software supports IPv6.

Examples of external systems that must support IPv6:

• Firewalls – Many leading suppliers of firewalls have support for IPv6. If you are bound by long contracts for firewalls that only support IPv4, purchase an additional firewall. Place it in parallell to the old one and run all IPv6 in it. You will not need the same extensive set of rules or performance in a separate firewall, if it only runs IPv6! For SEK 10,000, you will have a firewall to start with and learn from.
• Web servers – Most systems in the market are IPv6 compatible. The web is ideal as a first service! Google has been testing IPv6 for a number of years by making its ordinary search service available over IPv6, although at another address: http://ipv6.google.com. A company can do the same. This has minimal impact on the existing operating environment, yet provides an opportunity to test and learn the new protocol.
• E-mail systems – Many companies today perform some form of filtering of e-mail for spam and virus before allowing it to enter internal systems. Demand that all e-mail servers that receive your e-mail from others must also accept IPv6 for incoming and outgoing e-mail.
• Operating systems – Believe it or not, but Microsoft is a shining star with respect to support for IPv6 and is clearly ahead of the open-source operating systems based on Linux and BSD. Above all, Windows Vista and Windows 7 are excellent examples of systems with full IPv6 support, but even the older Windows XP handles IPv6 relatively well! It may be a good idea for the IT department to begin testing and using IPv6 so that they gain experience prior to a broader roll-out.
• DNS – To be able to show the rest of the Internet that your services can be accessed via IPv6, your DNS must naturally identify the services that have IPv6 addresses. However, the DNS servers themselves should also be accessible via IPv6. If you have DNS servers with your ISP or elsewhere, check with them if they are ready, and if not, consider using another supplier that is!

Start training

Only short training is required to start IPv6, in our opinion. If you know IPv4, it is easy to get started with IPv6! And getting started will build experience—that is something you can not get from classes! A good idea is to gather personnel from several municipalities or the public authorities with which you work and bring in an experienced technician to hold practical workshops to warm you up before investing major sums in training. Training always works best if you have some prior knowledge!

Other infrastructure that needs attention

DNSSEC – We naturally focus on IPv6, since that is one of our main interests. However, there are several extremely important areas where the public sector could take the lead. One of them is a more secure infrastructure for DNS, which is commonly known as DNSSEC. A few years ago, a researcher showed how easy it is to redirect a user wishing to access a given website or e-mail server to another malicious one. Today, upgrades have made this a little more difficult, but it is still possible. DNSSEC with DNS operators, companies and ISPs, this loophole would be closed. Once again, the standard has been in place for some time, but introduction has been slow.

E-identification – Important decisions also remain to be taken regarding e-identification. The model that has been in use in Sweden for a number of years suffers from several deficiencies. It is important to place requirements on the system so that it,

• is based on open standards,
• provides full protection for personal integrity,
• is technology-neutral and
• is available to all players in all parts of society.

The roles of registrars and issuers of identification should also be made clear and separated. Today's system also suffers from the fact that only private persons can identify themselves. Companies, authorities and associations should naturally also be able to identify themselves! In this context, it is important that the government opens its databases in a manner that not only creates opportunities, but also protects integrity.

Am I already running IPv6?

Modern operating systems have IPv6 activated by default. This means that you may already be running IPv6 via an automatic tunnel service without knowing it! Test towards http://test.ipv6.tk and you will see if you are running IPv6 or not! The results may vary with the same computer if you are at work or at home, depending on firewalls and other equipment.

Conclusion?

The pages http://www.kommunermedipv6.se and http://www.myndighetermedipv6.se show that very little is happening, unfortunately. There must be a demand from above for the public sector to prioritize this in its IT operations. At the same time, this is not a monumental task! It is a matter of working days per agency, not several man years.

Written by Torbjörn Eklöv, CTO, Senior Network Architect, DNSSEC/IPv6

Most of the cases I am aware of have actually been inside jobs. Data has been stolen either by employees or by subcontractors that had access to it and then sold to spammers. There are steps that companies can take to prevent leaks and identify the source when or if they do happen.

1. Limit employee and subcontractor access to data. Keep data machines separate from other machines and limit employee access to those who must have access.
2. Subcontractors who must have access to data should be under contract and under NDA. Make it very clear that data leaks will be treated seriously and may result in legal action.
3. If employee or business issues mean that employees will be terminated, remove access to data sources before the employee is notified of termination. Some employees who would not consider stealing data from a company they work for will take data after they are terminated.
4. Institute secure audit trails for access to data. Track every time an employee accesses data from a console, web interface or client.
5. Prevent, as much as possible, the ability for anyone to download data. If there are reasons someone needs to download email addresses, remove @ signs and replace with another symbol to make it less likely that trojans on employee laptops will steal the addresses.
6. Prohibit employees from storing customer data on laptops or downloading over wireless.
7. When providing data to subcontractors seed addresses in the lists. This way, if the list is leaked or sold, then you will know when that happens. Provide unique seeds to each subcontractor in order to identify which subcontractor is responsible for the leak.
8. Occasionally search all machines on your network for the seeded addresses to identify places where data may unexpectedly end up internally.
9. Occasionally punch seed addresses into search engines (Google or Bing) to see where address lists may have leaked.
10. Run current and up to date anti-virus software on all machines. Use hardware firewall and VPN software to limit external access.
11. Block outbound port 25 across the network. Ban any peer to peer software on any machine that has access to address lists, including employee laptops.
12. Securely store and/or encrypt any backup tapes to prevent employees from walking off with them.
13. Don't put email lists or log files within a webserver directory; htaccess protection is not sufficient to prevent access.
14. If you are shipping files around with email addresses, use good encryption to prevent unauthorized users from having access.

None of these things will guarantee data will not be stolen or leaked. But limiting access to the data, and having a clear audit trail and consequences will make anyone think twice before stealing it.

Written by Laura Atkins, Founding partner of anti-spam consultancy & software firm Word to the Wise

Two news stories of computerized espionage reached me today.

The first, regarding the Oil industry, was sent by Marc Sachs to a SCADA security mailing list we both read. The second, about the hotel industry, was sent by Deb Geisler to science fiction convention runners (SMOFS) mailing list we both read.

US oil industry hit by cyberattacks: Was China involved? (link)

At least three US oil companies were the target of a series of previously undisclosed cyberattacks that may have originated in China and that experts say highlight a new level of sophistication in the growing global war of Internet espionage.

Starwood Charges That Top Hilton Execs Abetted Espionage (link)

Starwood's claim points to a "mountain of undisputed evidence," including e-mails among Hilton senior management, that Klein and Lalvani worked with others within Starwood to steal sensitive documents by sending them via personal e-mail accounts, among other methods, and that such information was shared and used by all of Hilton's luxury and lifestyle brands, as well as in the development of Hilton's now-shelved Denizen brand. In the new filing, Starwood says, "This case is extraordinary, and presents the clearest imaginable case of corporate espionage, theft of trade secrets, unfair competition and computer fraud...Hilton's conduct is outrageous."

As to whether China is involved, maybe. But the automatic blaming has got to stop. Many other countries have been known to be conducting corporate espionage, such as France, and as the second story above shows, so do corporations themselves.

But.. here are a few questions:

- My dog barked, was China involved?
- The traffic light turned red, was China involved?
- I am tired. Is China involved?

Written by Gadi Evron, Security Strategist

This top-talent but low-key session was started in 2003 by Paul Graham, the inventor of Bayesian spam filtering, which is the basis for current spam filters. After a few years of chairing the Spam Conference Graham moved on to YCombinator, Yahoo's start-up development project. In 2006, William "Bill" Yerazunis of Mitsubishi Electric Research Labs (MERL) took up the mantle and worked to expand the conference to two days. Yerazunis isn't just a spam guy, he has worked in a number of technical fields including optics, computer graphics, transplant immunology, artificial intelligence, and other diverse disciplines. Yerazunis, who holds 29 patents, turned the Spam Conference over to University of Akron Computer Science Professor, Kathy Liszka. Last year, Liszka, coordinated and ran one of the most topic diverse conferences yet. Liszka will be accepting research submissions until February 1, 2010.

For those who do not have research to submit, but are still interested in the subject, the conference is open to the public and usually held in the unique "dancing building" at MIT, the Stata Centerv designed by Frank Gehry. There is always a lively debate and discussion as well as a review of shocking developments in spam and predictions for the coming year. All points of view are welcome as some of the brightest minds take a deep look at this ongoing and troubling technology problem.

Written by Garth Bruen, Internet Fraud Analyst and Policy Developer

Help is needed now, and will be, for a very long time. In response, the immediate and continuing outpouring of generosity from individuals, companies and organizations, and governments has been astounding. The outpouring has relied on the Internet and mobile phones to facilitate donations. And, along with it, predictably, came scum attempting to defraud people with fake charities, posting links to Twitter and the inevitable spammed campaigns.

Another matter that may be interfering with charities and relief organizations to do their work are spam filters and blacklists. Unfortunately, the reality is that some charities are better at fund-raising and helping people than following email best practices, and despite the fundamental nature of their work, their IPs have ended up blocked, or they are not getting the delivery they need, particularly at this time of crisis.

So, what can we do as a community to assist them?

Receivers, Filtering Services & DNSBLs

Please, Whitelist the IPs (and domains) of any charity known to be assisting in the Haitian relief effort.

Yes, I know, they might be sending lousy mail streams, lots of bounces, trap hits, etcetera. I suggest that for the next while, for whatever period of time you are comfortable, you turn a blind eye to that, instead, please cast wide-open eyes to the big picture. People, human beings like you and me need, the world's help and you can play an integral part in that effort.

Senders

If you are an ESP or ASP that is handling traffic for charities or other agencies involved in the relief effort, drop me an email to spamfighter@gmail.com and I will list them on my blog spamfighter666.blogspot.com, so others can use that information.

Researbers

I have a long list of charities, gleaned from a few trusted sources. If you can spend a little time digging around to find outbound IPs to add to the list, that would be great. Again, spamfighter@gmail.com

Anyone & Everyone

If you can think of anything beyond these measures I've suggested, I'm all ears and would happily post it here. And, of course, please donate money. I know times are tough, many of our colleagues are hard-pressed, laid-off or even fired, so those of us who can afford it, please be extra-generous in your cash donations.

Thanks for considering being a part of this. The Haitian motto, on their flag is "L'union fait la force" (Unity is strength). Let's pull together to make this happen.

Written by Neil Schwartzman, Executive Director, CAUCE North America

Read full story: External Source

The reports, depending on vendor, blame either PDF files via email as the original perpetrator, or lay most of the blame on an Internet Explorer 0day.

Unlike my colleagues (save for the ones reporting), I rather not discuss this too much before more data is available.

Regardless of what really happened, which I hope we will know more on later, these things are clear:

1. Unlike GhostNet, which showed an interesting attack, but unfortunately many of us jumped to conclusions without evidence that it was China behind them—based on Ethos alone I'd like to think that when Google says China did it, they know. Although being a commercial company with their own agenda, I am saving final judgment.

2. The 0day disclosed here shows a higher level of sophistication, as well as m.o. which has been shown to be used by China in the past.

3. If this was China, which some recent talk seems to make ambiguous, but still likely; they would have more than just one weapon in their arsenal.

4. This incident has brought cyber security once again to the awareness of the public, in a way no other incident since Georgia has succeeded, and to political awareness in a way no incident since Estonia has done.

Update: Text corrected as per comment below.

Written by Gadi Evron, Security Strategist

What do I think we can look forward to in email in 2010?

Authentication

In the realm of real authentication, the protocol most are using is is DKIM. While people will probably continue to publish SPF records (and Microsoft will continue to cling to the hope it becomes widespread) its relevance will continue to decrease. As less people pay attention to SPF, records may be unmaintained and become stale further decreasing their use and relevance.

In contrast to SPF, DKIM will continue rolling out. More senders (both the ESPs and the ISPs) will be signing outgoing mail with DKIM. More receivers will be checking DKIM signatures and monitoring domain reputation. I think we're on the cusp of critical mass and signing will become less of a bonus and more of a given. Right now, it seems that senders who are signing with DKIM are seeing a bit of a reputation bump just because they're signing. I expect this positive effect will wane, but for now anyone who is signing seems to be seeing improved delivery.

Domain based reputation

Domain based reputation is on the upswing and I see that continuing through 2010. I don't, however, see domain based reputation replacing or even becoming more important than IP based reputation. A few people have predicted that domain reputation will replace IP reputation, and they're wrong. Domain based reputation will augment but not replace IP based reputation. It is easy and efficient to check the reputation of a connecting IP address and a receiver can make a preliminary delivery decision without having to accept the full email.

Where domain based reputation will have the biggest effect is for IP addresses with mixed mail streams or IP addresses with no reputation. Small senders often have to share IP addresses with other senders and domain based reputation will allow them to establish their own reputation separately from the reputation of other senders using the same IP. The other real bonus will be when moving mail from one IP to another. Domain based reputation may decrease the time required to warmup an IP address.

Engagement

The buzzword for 2010 is engagement. ISPs will be measuring engagement and making delivery decisions based on how much their users want particular email. In the past ISPs have used measurements like complaint rates and bounce rates to measure how wanted email is. These numbers correlate with how wanted mail is, but are relatively easy for senders to game. In 2010, ISPs are going to actually start filtering based on how wanted mail is. "Wanted" mail will no longer be measured using the proxy measurements, as those have proven to be easy to game. Instead, ISPs will directly measure how much recipients want a particular mail. These changes will force senders to stop sending mail that does not generate complaints and start sending mails that recipients are eager to receive.

Social Networking

I don't see social networking replacing email marketing at any time. I do see, though, email marketing giving recipients opportunities to share information with social networks. Smart senders will provide easy links so that recipients can share information with their social networks. When marketers do well, they'll have happy recipients who want to share the information. When marketers do poorly, however, they will have to deal with unhappy recipients. It only takes a few people publicizing a company failure to generate negative buzz.

Conclusion

In 2010 email marketing is going to get much more challenging for everyone. Recipients, and their ISPs, are expecting more and better things from email marketing. Senders who are currently meeting expectations may struggle to meet those increasing standards within their current marketing frameworks. Successful marketers will be able to make the switch from sending mail that doesn't annoy customers to sending mail that recipients truly want. On the ESP side, they may find they had to provide more guidance and consulting support for customers. They may also need to change some policies and improve their problem detection systems.

This is the year of engagement, and senders can't fake engagement the way they can other metrics. Marginal senders will struggle to adapt to the new conditions. Better senders will need to change some things, but will improve their marketing to meet the new standards. Overall, though, the changes will drive all senders to really send mail people want. This leads to more engaged recipients. More engaged recipients leads to better delivery and better ROI for those marketers as well as a better inbox experience for recipients.

Written by Laura Atkins, Founding partner of anti-spam consultancy & software firm Word to the Wise

Top 10 Featured Blogs in 2009:

1. Yahoo, Gmail, Hotmail Compromised - But How?
   by Terry Zink - Oct 08, 2009
2. A Closer Look at Iran's State of Internet, Strange Transit Changes in Wake of Controversial Election
   by Jim Cowie - Jun 14, 2009
3. WiMAX vs. LTE
   by Paul Budde - Mar 10, 2009
4. China's "Green Dam Youth Escort" Software
   by Rebecca MacKinnon - Jun 08, 2009
5. Verizon Mandates IPv6 Support for Next-Gen Cell Phones
   by Derek Morr - Jun 09, 2009
6. Cloud Computing Types: Public Cloud, Hybrid Cloud, Private Cloud
   by Sam Johnston - Mar 06, 2009
7. Can't Connect… Won't Connect
   by Bill Thompson - May 13, 2009
8. The Cybersecurity Act of 2009
   by Steven Bellovin - Apr 13, 2009
9. Google AdSense Asks Publishers to Change Their Websites' Privacy Policy
   by Dhaval Doshi - Mar 13, 2009
10. YouTube's Fine - Analysts Don't Understand Internet Peering
    by Brough Turner - Apr 16, 2009

Top 10 News in 2009:

1. Network Solutions Under Large Scale DDoS Attack, Millions of Websites Potentially Unreachable
   Jan 23, 2009
2. U.S. General Reserves Right to Use Physical Force, Even Nuclear, in Response to Cyberattack
   May 13, 2009
3. Google Cloud Storage Coming Within Weeks
   May 20, 2009
4. Finland First Country to Make Broadband a Legal Right
   Oct 14, 2009
5. SPECIAL: Updates from the ICANN Meetings in Sydney
   Jun 26, 2009
6. Google Rolling Out Its Services Over IPv6
   Jan 08, 2009
7. ICANN's President and CEO Announces Resignation
   Mar 02, 2009
8. Iran's Internet Censorship Most Sophisticated in the World
   Jun 19, 2009
9. Comcast Unleashes Trial DNS Redirection in Select States
   Jul 09, 2009
10. Latest Cybersquatting Stats from WIPO
    Mar 16, 2009

Top 10 Industry News in 2009 by sponsored posts*:

1. Facebook Selects MarkMonitor Antifraud Solutions to Combat Malware
   by MarkMonitor - Apr 30, 2009
2. .ORG First Open Top-Level Domain to be Signed with DNSSEC
   by PIR - Jun 02, 2009
3. Perspectives from a Nonprofit Domain Name Registry on Navigating the Social Media Frontier
   by PIR - Apr 24, 2009
4. Expanding Internet Access Driving Software Piracy, Study Says
   by MarkMonitor - May 22, 2009
5. A Seemingly Overwhelming Number of Important Documents Released by ICANN
   by MarkMonitor - Jun 02, 2009
6. MarkMonitor AntiFraud Solutions Combine Proven Antiphishing and Expert Antimalware Capabalities
   by MarkMonitor - Mar 23, 2009
7. DNSstuff.com Offers Trusteer Rapport Product to Help Users Boost Their Defenses Against Online Fraud
   by DNSstuff - Mar 23, 2009
8. dotMobi Names AutoTrader.mobi as Millionth Site Tested by Acclaimed mobiReady Tool
   by dotMobi - May 20, 2009
9. IP Rights in Digital Environment Key Element of Proposed Treaty
   by MarkMonitor - Apr 15, 2009
10. COCC Partners with MarkMonitor for Anti-Phishing Services
    by MarkMonitor - Mar 18, 2009

* Featured news updates from CircleID's industry participants by more information here - see 'Dedicated Marketing Channel' section

Written by CircleID Reporter

[Each year/link below explodes to a discrete blog entry with a month-by-month break-out of notable events]

2000
Y2K is possibly best described as the year the Mail Abuse Protection System got sued. A lot. MAPS, as many will remember, was the preeminent anti-spam blacklist at the time, in use by many major receiving sites, and they took some controversial steps to block some major email senders of the day, who in turn, launched lawsuits to prevent that from happening.

2001
2001 was a year fraught with legal wrangling in Washington State, Arizona, the U.S. congress, and the EU, false positives, ORBS operator Alan Brown being sued and threatened with arrest, and a spate of new email viruses.

2002
2002 marks a year when politicians Sean Connery, Bill Jones & Elizabeth Dole used spam to various effect, Ellen Spertus won $4.26 in her suit against a spammer, Joey McNichol was sued for calling someone a spammer in Australia, and Joel Hodgell lost a case and had to pay a spammer's legal fees. The FTC determined that unsubscribing from spam did nothing positive nor negative, Bonded Sender, Habeas, and Cloudmark all launched their services.

2003
2003 was the year of CAN-SPAM, AMEY (AOL, Earthlink, Microsoft & Yahoo!) legal initiatives, the FTC Spam Conference, Scott Richter being sued for spamming, and the Sobig and Blaster viruses.

2004
2004 saw Bill Gates make an infamous prediction, CAN-SPAM came into play and is immediately criticized by those who must enforce it, DomainKeys & Sender ID battle it out in a popularity contest, and Scott Richter appears on The Daily Show with Jon Stewart, debates a spam cop, and goes into the shmata trade. None end well.

2005
2005 saw Scott Richter file bankruptcy to avoid paying fines, Alan Ralsky arrested, and CAN-SPAM evaluated for renovations. AOL gave away gold. Spammer gold.

2006
Spam grows 143% in 2006. Christopher 'Rizler' Smith threatens to kill a witness in his trial, Alan Ralsky partner Daniel Lin pleads guilty. Datran Media settles a lawsuit filed against them over what is called "the largest deliberate breach of Internet privacy discovered by U.S. authorities". Goodmail stuns California senators, Blue Frog hops off into the sunset, pump & dump is discovered to increase stock prices. Sanford Wallace is fined for distributing spyware, AOL wants to dig up some turf. e360 Insight wins its case against The Spamhaus Project. Australia wins against Wayne Mansfield.

2007
Scott Richter made the news again in 2007, MySpace sued him for phishing and spamming their members. The U.S. Securities and Exchange Commission became active in shutting down pump & dump spamming organizations. Several major companies, including the Bank of America and Pfizer were found to be hosting zombie computers. Physician, heal thyself. New Zealand, Hong Kong and Singapore adopted anti-spam legislation. Robert Soloway was arrested for spamming and a raft of other crimes. Mark Mumma lost his case against Cruise.com and the defendant is awarded $2,500,000 in damages. Jeremy Jaynes appealed his conviction. Xavier Ratelle was the first person charged under the U.S. Safe Web Act.

2008
Alan Ralsky was arrested and charged. His co-conspirators begin testifying against one another. Robert Soloway & Newport Marketing Corporation plead guilty. Jeremy Jaynes' conviction was overturned on constitutional grounds. Walt Rines and Sanford Wallace are found guilty of spamming MySpace. Eddie Davidson is sentenced to 21 months in a minimum-security prison, escapes, and tragically kills his wife and daughter, before taking his own life. Scott Richter loses a CAN-SPAM case to MySpace. Adam Vitale is found guilty under CAN-SPAM, rounding off his various convictions to 22. Lance Anderson and his gang were charged with spamming under American, Australian, and New Zealand law. American ISPs McColo and Atrivo are shut down, taking down botnets, temporarily. Former Neo-Nazi and 'bum fighting' video empresario Adam Guerbuez of Montreal Canada is found guilty under a CAN-SPAM action launched by Facebook. They win a quarter of a billion dollars.

2009
In 2009, Sanford Wallace was sued under CAN-SPAM by Facebook. The BBC controlled a botnet. Canada introduced serious anti-spam legislation, which didn't make it through the legislative process. Alan Ralsky pled guilty and went to prison with his co-conspirators. ISP Pricewert was taken down by the FTC for hosting botnet controllers, MEGA-D takes a hit as a result. Fireye took down the remnants later in the year. Habitat UK spammed Twitter using Iranian election hash tags. James Gordon lost his case against Virtumundo. Herbal King spammers Lance and Shane Atkinson are fined under New Zealand, Australian and American anti-spam law. Vodafone was fined for spamming for Coca-cola. ASIS lost its CAN-SPAM case against AzoogleAds.

Written by Neil Schwartzman, Executive Director, CAUCE North America

One of the responsible ESPs is Mailchimp. (Full disclaimer, I do consult for Mailchimp.) This ESP focuses on businesses with small to medium sized lists. They screen new customers for source of permission as well as mail content.

As well as putting a human in the loop and identifying problem customers manually, they have also developed an automated process that predicts the likelihood that a certain customer will violate their standards. This process is very similar to the reputation process in place at many ISPs. Customers that are flagged as potential problems are reviewed by staff members who contact the customer for further clarification.

What's the benefit of this process? A good reputation, a clean customer base and positive notice by the ISPs. In fact, just recently I was contacted by one of the very large consumer ISPs, confirming that Mailchimp is one of my clients. He informed me that he'd noticed a few of the Mailchimp IPs had a really high reputation but weren't whitelisted. He asked me to send him all of their IPs so he could make sure all their IPs were whitelisted.

Proactive auditing of customers and predictive modeling of mailing results is working for Mailchimp and their customers.

Some ESPs have aggressive cancellation policies, which helps them police their networks and their customers. I often encounter former customers of these ESPs, either as direct clients or as customers of my ESP clients. In one case, I was asking around about a new client at their old ESP. "They tell me they left you under their own power and there was no spam issue involved, can you comment?" The policy person would not comment specifically about that client, but did comment that "95% of our former customers were disconnected for cause."

These are two examples of ESPs that are working hard to minimize the amount of unwanted mail going through their network. They have invested time and energy into tools and staff to monitor the network. Staff is empowered to make decisions about customers and management believes no customer is "too big to disconnect."

Written by Laura Atkins, Founding partner of anti-spam consultancy & software firm Word to the Wise