Paul seems to subscribe to the theory energizing the DearAOL coalition that once AOL starts accepting certified e-mail service for non-certified mail will be degraded. “If AOL starts losing more mail due to filter refactoring if Goodmail gets popular, even more users will flee.”

Perhaps he can expand on this presumption because it seems to assume the very worst about AOL in terms of competence. The coalition assumes that AOL will overtly let their non-certified mail handling go to hell in order to blackmail people into using Goodmail. Neither of these seem like reasonable outlooks.

Larry is somewhat correct on both counts. I don’t assume the very worst about AOL’s competence, but I do rate it very low. Their current handling of mailing lists (banning them outright because one user says “this is spam” when 999 other users don’t) shows a very low understanding of what it is that their users want in their inbox. I also assume that AOL is likely to think that anything that they do that they label “anti-spam” will be loved by their users, and they are wrong about that.

We don’t know what AOL will do with un-certified bulk mail, but “go to hell” is certainly in line with what they sometimes do now with legitimate mailing lists. It is not reasonable from a user’s standpoint (but is reasonable from a cost standpoint), but that hasn’t stopped them so far.

I have heard from all over the place that moveon sent that petition about goodmail out to quite a few million users.  And they got what - 1500 odd people signing it? Even with a carefully written petition that adds to rather than substracting from the general FUD that they and the EFF have been spreading about it?

Oh well. Leave them alone and they’ll go away I guess. I never saw the day when the EFF had a sensible thing to say about spam, ever.

Electronic “Frontier” Foundation?  Oh well, I know they mean the star trek style frontiers of space thing, but theyre more like a gary cooper style white hatted sheriff who suddenly finds himself transplanted from the “frontier” where men were men and even the blackhatted outlaws had a “code” into a crime ridden inner city ‘hood. 

They have some good and clued people in there, like Brad Templeton. But his clue is counterbalanced by all the general FUD being spread by others (Cindy Cohn et al). Too bad :(

Here is a dup of what I commented on McNamara’s blog post:

Some of the EFF’s positions on spam have indeed been unpopular with some because we don’t think it’s anywhere near time to throw the baby (of open email) out with the bathwater just to fight spam. We would love to see it stopped, of course, but not at the price of centuries old cherished values of how open communications work in a free society.

AOL, like all ISPs, should deliver legitimate mail to its users. That’s their first duty—primarily to the user, but there’s also a valid debate about the general architecture of E-mail to be had, since AOL handles so many users. They can block all the spam they want—this is a question of what they do with real, solicited bulk mail and person to person mail (solicited or unsolicited.)

What Goodmail means is that AOL is, rather than doing that duty, blocking a fair bit of legitimate mail. They are in effect selling “protection” from their own filters, because those filters are doing an imperfect job.

So imperfect a job, that it is felt that senders are so afraid of being falsely blocked that they will hand over serious change. That’s the goodmail busines model. People will be so afraid of non-delivery that they will pay for protection from the filters that should never have been blocking them in the first place.

You think it’s way off the mark to be worried about that as a precedent? About what it means for the architecture of e-mail (now one of the world’s most important media of speech)?

Now, to be fair, there is another component of the goodmail program, which is beyond assured delivery and display of images, namely an expensive certificate program. It’s been possible to sign mail and get a certificate from various CAs for many years, and I am sure many senders have been hoping that mail user agents (like AOL) would start noticing those signatures and display an indicator that the sender of the mail is certified. Nothing wrong with that, but I expect senders didn’t think there would be a large per-message bounty on doing so. At most there were going to be fees from the trustable certificate authorities, one-time fees or annual fees.

Sure, E-mail tax is an inflamatory term. I wouldn’t have chosen it myself. It’s a metaphor for a scary concept.

What surprises me is that you’re standing up to defend the idea of paying for protection from something that shouldn’t be blocking you in the first place. Especially on something as important to a free society as e-mail.

You think it’s way off the mark to be worried about that as a precedent? About what it means for the architecture of e-mail (now one of the world’s most important media of speech)?

Yes. It sounds like you trust market forces so little that you think users won’t leave AOL (or anyone else doing a poor job of delivering mail) for service providers who are doing a good job. History has shown that belief to be wrong.

Of course, if this system were instituted by a government, it would certainly be in EFF’s purview. But that’s not what is happening.

Sure, E-mail tax is an inflamatory term. I wouldn’t have chosen it myself. It’s a metaphor for a scary concept.

It is also factually wrong. It is quite dissapointing to us early supporters that EFF’s legal understanding has fallen so low that it does not understand the difference between a “tax” and a “surcharge”.

What surprises me is that you’re standing up to defend the idea of paying for protection from something that shouldn’t be blocking you in the first place.

I’m glad that surprises you, because it is wrong. The article is very clearly critical of AOL for using Goodmail in the way that it is, and for its habit of incorrectly blocking legitimate mailing lists.

If AOL were the only company to do this or plan this, market forced would indeed impinge on them.  But they are also one of the world’s largest ISPs, and Goodmail is an independent company with plans to make this as universal as possible, which is surely something that can be the subject of criticism?

If the government did this we would be taking it to court.  If various private entities seek to rearchitect the contracts and principles of E-mail, why is it inappropriate to sign a letter of criticism and opposition?  I don’t understand why you don’t think EFF or other organizations would do something like that?

The internet is a private network, a cooperative of privately owned networks.  There is no constitution there, no government, only the actions of the private companies.  They decide the architecture, they set the policies.  If the EFF were limited to suing the U.S. government, it would be pretty meagre as a force for protecting rights in cyberspace, which is our mission.

This is a bad precedent, a bad principle, and 500 organizations have signed on to the “letter of concern” that you think we’ve lost our way to have signed.

The letter, if you read it, uses such strong language as “express our serious concern” and “asking you to reconsider.”  Why should we not say such things?

Mr. Templeton:

What Goodmail means is that AOL is, rather than doing that duty, blocking a fair bit of legitimate mail.

This is one of my problems with the dearaol.com argument: your assertion that AOL’s quality of service for non-Goodmail will degrade. You make this assertion in the face of explicit denials by AOL and speculation about economic incentives.

AOL already makes plenty of decisions, based on filters, whether or not to deliver mail, and these are necessarily imperfect decisions. With Goodmail they have just added a second decision path and outsourced the decision-making process, but to the end-user it’s still AOL making the decision, and the user will hold AOL responsible.

So what if the service doesn’t degrade?

Well, Goodmail’s first announcement was that it would degrade, that the other whitelist programs would be phased out.  They later retracted that statement.  But surely one must wonder about the risk when you see statements like that retracted.

However, it’s not necessary for it to degrade to be highly concerned.  It is inherent in the goodmail business model that it has already degraded enough that people will pay lots of money to be protected from the incorrect filtering.  If not, people aren’t going to pay, not this much.  (As I noted, they might pay $100 one time for a certificate to sign e-mail with so their email is marked as authenticated.)

Sure, filters will have problems.  There are other ways to get past them than selling them a bypass.  It is the precedent that scares us most.  Services that used to be part of an open internet first start degrading, then you have to pay to get what came naturally before.

Does this remind you of anything?  We see ILECs saying that web sites should pay for quality delivery of packets to customers on the lines the customers already paid for.  This trend is popping up all over the place.  People have been proposing paying for e-mail for a decade now.  There’s reason to be scared when it starts becoming real.

For those defending it, why are you defending it?  Do you think it’s a good trend?  Do you think it will stop spam at all, let alone better than other methods?

For those defending it, why are you defending it?  Do you think it’s a good trend?  Do you think it will stop spam at all, let alone better than other methods?

I don’t think of it as a good thing, but it’s not a bad thing either.

And the idea that it’s supposed to stop spam is a straw man set up by opponents to discredit it. It’s not supposed to stop spam, it’s supposed to stop some false positives.

The comparison to network providers (it’s basically ILECs, but not necessarily them) using QoS to degrade service is another straw man, because the idea there is explicitly to degrade service.

So far all I hear from you is false comparisons and that it all rubs you the wrong way. I don’t suppose you’ll give AOL any credit for offering free service to non-profits and advocacy groups, will you?

Of course it’s part of an anti-spam effort.  It doesn’t make a lot of sense other than in the context of anti-spam efforts.  It’s a proposal to “put up strong spam filters and tell people they can pay if they are worried about the false positives.”  How is that not about anti-spam?

I’m sorry you don’t get the comparison to the ILECs.  I realize the world doesn’t read my blog or various others on the topic, but the ILEC plans need not involve degredation of service.  In their case, keeping links the same speed over time is a virtual degredation because better tech makes them seem worse.  An ISP that sold you a 56kb line in 1990 would not have degraded service if today they offered you the same 56kb line and charged web sites if they wanted to send you traffic through extra, faster, non-public lines.  Your service remained the same.

No, it’s not just a feeling of being rubbed the wrong way.  I apologize if you are not familiar with the very long history of diverse proposals along these lines and the dangers they present.  This is just one event in a long chain.  It’s hard to see what’s good about it, except for Goodmail. Sure, people will pay, but not because they want to.  The “value” they get is that mail that should never have been blocked is not blocked.  They will pay because they have to.

Brad, the comparison with those ISPs that want to be paid twice is invalid for one very good reason: spam filtering is an added service. This isn’t just a case of “how can we wring more money out of the existing situation”, which appears to be the attitude of the carriers to whom you refer.

AOL doesn’t just provide an email service: thanks to spammers, a pure email service tends towards worthlessness over time. Instead, they’re providing a filtered email service. Imperfectly filtered, of course, but that’s inevitable. That filtering represents extra work and extra value not present in your earlier comparison, in which carriers just want to charge a second party for a service already provided, under threat of degrading that service.

But perhaps I’m wrong. Perhaps you’re saying that the AOL customer already paid for filtered email, so why should the mail sender pay as well? Well here the situation is also different, because unlike most Internet activity, email is initiated by the sender. The senders (spammers) are the ones driving up the cost of email for the recipients: “the wrong folks pay for this scourge.” The Goodmail approach actually addresses the issue in the only meaningful way: cost shifting.

The asymmetry of email is the issue here. Senders get to select their targets and associated costs: recipients get to be targets, and bear the ever-increasing cost of keeping their inbound email service usable. Does the EFF consider this arrangement to be fair and right? Is this what you mean by “open email”: open season on recipients? This does not mesh with my sense of fairness or liberty.

I’d like to think that in the long term we can come up with technical approaches which make the recipient’s end of the deal cheap and easy: enough so that charging senders for filter-bypass just isn’t economically viable. Attaining such a state is proving difficult: I’m attempting to earn a PhD out of my efforts. But until we can reach such a stage, the EFF’s objections to Goodmail don’t come across as pro-freedom-of-speech, so much as oppressive to recipients who are already getting the raw end of the deal.

> Well, Goodmail’s first announcement was that it
> would degrade, that the other whitelist programs
> would be phased out.  They later retracted that
> statement.  But surely one must wonder about the
> risk when you see statements like that retracted.

AOL made a big, big mistake early on in this… announcing this thing on the website of the direct marketing association, and on a marketers newsletter

Which then muddied the issue a little.

And then at least two other reputation vendors who quite likely didnt understand just what was going on at the time released fairly alarmist press releases. To their credit, subsequent releases / blog posts etc from these two vendors seem to have considerably toned down after they did a bit more research .. but the damage was done.

The mass media picked up on a whole lot of distorted nonsense.  And Cindy stirred the pot with a little more FUD and a gratuitous “non profits are going to be shaken down before sending email to AOL” meme, of course with moveon.org as an example.

Please, Brad - your comments here, and Danny’s comments elsewhere (in Justin Mason’s blog for example) have been quiet, and reasoned. And I had that same impression about more than one long discussion we had off IP / politech. 

Cindy’s statements, and moveon’s tub thumping arent reasoned, or even balanced.  Please do see if future press releases or other posts from the EFF about spam come from you or Danny, rather than say Cindy. And extra points of these just dont mention moveon.org, which finds itself blocked at a wide variety of places for reasons other than that its a non profit which bravely refuses to submit to “blackmail” by AOL

regards
-suresh

I don’t want to open up the whole spam debate here, we’ll be at it forever, as everybody knows.

The similarity to the ILEC move is at the high level—view it either as paying twice for something or paying extra for what is normally viewed as part of what an internet service is.

AOL selling spam filtering is fine.  But in this case your who-pays logic is exactly reversed.  Yes, it would be nice if spammers would pay for the burden they cause.  But Goodmail is, one hopes, not a charge on spammers, but on legitimate mailers, exactly the folks not to charge.

Some people think the invention of the internet has to do with packet switching.  That existed many other ways.  The true invention that created the internet we know and love was its cost contract.  I pay for my half, you pay for yours, and we don’t sweat the packets.  I won’t reproduce all my essays on this topic here, but I believe the case for this is compelling.

Sure, spammers abuse this contract.  And we should find ways to get those spammers.  But not by undoing the system that is the very foundation of all that’s valuable.  Not by putting the cost burden on the innocent.

You may say, “well, spammers put a burden on the innocent” and indeed they do.  But we are not spammers, we are a lot better than them.  That spammers attack the innocent is no reason to decide it’s ok to punish the innocent in order to build anti-spam systems.

This used to be such a fundamental principle of our systems of justice that I would not even need to spell it out.  Spam, for some reason prompts people to abandon it amazingly quickly, whether it’s with capricious blacklisting, large numbers of false positives or charging for protection from filters.

We’ll stop the spammers.  But not by compromising the values and foundations that make the network what it is.  If you think we will have to compromise them, then I hope you still feel it should only be by being dragged, kicking and screaming, into doing so.

Brad says:

That spammers attack the innocent is no reason to decide it’s ok to punish the innocent in order to build anti-spam systems.

Where behaviour involves attacking the innocent—even potentially—I agree, but asking senders to pay a premium for preferential handling does not constitute an attack on the innocent. There is a difference between attacking the innocent and asking other innocent parties to share the cost created by the guilty. Further, there’s a difference between attacking and inconveniencing: a bounced legitimate message due to a blacklist entry is inconvenient, but it’s not an attack, because it’s part of the email contract that a message may be refused for policy reasons, ceterus paribus.

Further, even if all filtering costs are shifted to legitimate senders, rather than recipients, this produces a fairer system. The act of sending mail to a particular address (and potentially paying a premium for it) is an action that can be performed selectively, with a great deal of control on the part of the sender as to whether and how much they participate in the system. The whole problem with spam is that it’s not so easy to be selective about what you receive. If some innocent party is to bear the cost of spam, it is best if that party has control over how much they participate in that cost. Outside of whitelisting, recipients basically get a choice of “all or nothing”.

So, much as I admire your willingness to bear the cost of spam on behalf of all your legitimate senders, I think you’ve fallen into error when you call certain other modes of behaviour ‘punishing the innocent’.

Nothing in what I’ve said here contradicts (or, in my judgement, even bears much relevance to) your “don’t sweat the packets” remarks, with which I agree.

This ‘attacking the innocent’ line is getting way out of hand. Lets’ look at all the parties involved in a post-Goodmail/AOL situation:

1. The legitimate commercial emailer

Legitimate emailers already work very hard and spend time/money improving the deliverability of their email into AOL. I blogged an article on Clikz which suggests that an average emailer loses 43% on their click-through rate into AOL, and anything they can do to improve this can easily pay for itself. So they’re not ‘attacked’ - on the contrary, they’ve been given a no-brainer solution to a big problem.

Certification also gives them another reason to stay white-hat - once they have certified status, they won’t risk losing it through bad practice.

2. Goodmail

They’ve found a gap in the market, and will hopefully make some money for their investors. That’s not a crime.

3. AOL

They have long had a reputation for an open, helpful attitude towards legitimate bulk email. They publish chapter and verse on their 2-tier whitelist system; they have the feedback loop to allow emailers to monitor their own performance; they participate in forums such as SPAM-L to help people understand their processes.

The introduction of CertifiedEmail allows them, too, to have an extra tool in the bag - and offer an extra service to their members - the ability to highlight a message in the member’s inbox as coming from a certified sender.

AOL representatives have repeatedly stated that any revenue-share they get from Goodmail as part of the deal will be a drop in the ocean. Implementing a new feature in their client will cost them way more in comparison.

4. AOL members

AOL offers a unique experience for an internet user. I doubt many readers of CircleID use it - I certainly don’t - we’re not part of AOL’s target audience, and it wouldn’t work for us. But it does work for a lot of people, and these are the people who will benefit from a bit of help with their email. Online safety is important to them.

Those that don’t like it have a choice - they can choose to use a different email provider or a different ISP. AOL hopes that CertifiedEmail will add some value for their members and keep them that little bit more loyal. The ISP business is all about retention, and this is plainly a retention play.

5. The spammer/phisher

There’s very little change for this player in the first instance. They don’t qualify for CertifiedEmail even if they could afford to spend the money. They’re stuck in the spam filters in the same way as now.

Over time, if a significant number of legitimate emailers get certified, then the non-certified phishing attempt against a certified sender which does reach the inbox will stand out like a sore thumb and be much less beliveable.

6. The non-profit emailer

These are the people about whom the fuss is being made. They have the same for-free options they do now with the whitelists, plus another one - get certifed (which AOL have said they will pay for, details TBA, but it can’t be a bad thing). In the same way as the commercial emailer can cost-justify certification, so can the NFP - particularly if the up-front costs are paid for.

Of course, they can still choose to disbelieve what AOL and Goodmail are saying, in order to make political points. But that’s business-as-usual campaigning for certain pressure groups, and should be read as such.

You may find “attacking” to be too strong a phrase here.  But I don’t like the statement that senders are paying a “premium” for “preferential” handling here.

What they’re paying for is preferential handling only in the context of a service that was deliberately degraded, to use a vocabulary from earlier in the thread.  They’re really paying for the sort of handling there were supposed to get in the first place, at no extra charge.

Of course, only an AOL can pull something like this off.  If I tried to tell the businesses that send me bills or the mailing lists I join that they must pay 1/4 cent for each mail they send me, they would tell me I may end up missing mails from the list.

But the real point is beyond AOL.  I understand the various discussions here about the specifics of AOL’s program, and how they have now vowed to continue the regular whitelist program, which is good.  The real point is the precedent.  There is every indication we’ll see much more than this.  As one of the first people in the world to write on the topic, I see the e-stamp proposal come up every couple of months as a great new idea.  So far it’s always been stamped out or it’s fizzled out.  No longer.  I really feel the risk of this program expanding on top of the AOL precedent is large, and so the AOL precedent must be protested.

Brad,

Your point is well taken. 

One top concern I have is the reply process or more specifically,  the interference of legitimate user/vendor contact business.

Example:  AOL user is interested in a company product. So the AOL user sends a sales inquiry to the product company domain.  The company responds with product marketing and sales detailed information, links, images, etc, etc. 

So the question is, when the AOL user sends mail to domain users who are not part of certification, will the domains be automatically whitelisted in anticipation of a reply? 

Will it blocked, will it be pruned?  will it be delayed?

Will the company lose exclusive business because they lack an AOL/GOODMAIL certification? 

Will AOL/GOODMAIL interfere in the delivery with an intermediate process or response to the company informing them their mail has been “delayed” and thus begin in a domain registration compaign to solicit “membership” to guarantee the delivery process?

What if the company refuses to participate and it loses business?  Will they sue AOL for tortious interference?

Remember, the key difference here is that the company is only doing business with the AOL user because the AOL user solicited information from the company.  Will this company be automatically whitelisted or “certified?”

—
Hector Santos, CTO
Santronics Software, Inc.
http://www.santronics.com
Wildcat! Interactive Net Server
Platinum Xpress Mail/File Frontend System
Silver Xpress Offline Mail System,
iFTP - intelligent FTP

Brad,

Is this what it comes down to: that any attempt to make a (legitimate) sender pay for email connectivity, beyond the base cost of Internet service, is beyond the pale? I don’t want to put words in your mouth, but that seems to be the final resting point of your argument, and I’m just trying to determine your stance clearly.

Peter,

I think you have a 7th entity or maybe a variant of #1

- 7. User solicited Vendor Contact/Contract

This is different from #1 because there is little expense here. The user is solicated information or possibly joined a company new product mailing list.

The company may not have an operation or cost to determine if the user is indeed getting the mailings. The only cost is producing the content and pushing a send button to this “exclusive” direct market of user/vendor contacts.

I never bother to check until now but I see we have over 600 customers (people who have our product) and using @AOL.COM, they signed up to obtain product update announcements.

I also see not one of these AOL.COM list members are recorded as SMTP failures in the delivery of mailings. In other words, AOL.COM did not reject or bounce any of the AOL.COM SMTP transactions.  This is not like the other many records I see who are automatically marked Inactive for lack of successful SMTP delivery.

So have we been losing business all along with AOL.COM blindly accepting all recipients and just dropping the mail?  Again, we are not in the business of “spamming and tracking” people.  We probably should be for our business, but it is not something we do.  In other words, we never saw the need to join AOL’s Bulk Mailer WhiteList.

Are you suggesting that if we pay AOL/GOODMAIL the 1 penny per message or for us, ~$6.00 per product update announcement mailing, we might realize a better business from these AOL.COM customers?

Althought this sounds like a good proposition, the difference today that there will be contracts and money involved now. There are a new level of legal issues here.  For us, of course, $6.00 is peanuts, but it does raise the queston or concern for a much larger user/vendor AOL association.

—
Hector Santos, CTO
Santronics Software, Inc.
http://www.santronics.com
Wildcat! Interactive Net Server
Platinum Xpress Mail/File Frontend System
Silver Xpress Offline Mail System,
iFTP - intelligent FTP

I will not address all aspects of CertifiedEmail, true and mischaracterized, referenced in this thread. Those truly seeking to understand our system and our value proposition can go to our website and educate themselves there. Mr. Templeton, you are personally invited to visit us in Mountain View for a personal guided tour of how the system works.

One paragraph merits comments though:

Mr. Templeton (whom I thank for acknowledging the “tax” term was inflammatory) wrote:

It is inherent in the goodmail business model that [the current email service] has already degraded enough that people will pay lots of money to be protected from the incorrect filtering.  If not, people aren’t going to pay, not this much.  (As I noted, they might pay $100 one time for a certificate to sign e-mail with so their email is marked as authenticated.)

Let me start by agreeing with Mr. Templeton:

email is indeed broken

.

In a perfect world, customers are not phished, spam doesn’t exist, and legitimate messages are never caught in spam filters (as filters are yet to be invented, no spam nor phish in the perfect world – remember?).

Ergo Mr. Templeton’s theorem: Goodmail’s business model is flawed because it acknowledges we live in an imperfect world.

Now for the $100 certificate solution…

Senders are not paying Goodmail only to assure delivery, they get other benefits (e.g.: accurate delivery reports). And paying Goodmail, by itself, does not assure delivery as there are additional requirements a sender has to satisfy (such as maintaining very low complaint scores, honoring unsubscribe requests, etc.). We have explained these attributes ad nauseam, and yet, people keep burning strawmen of their own build.

This certificate solution presumes a “certificate authority” can issue a certificate and then leave the stage. At $100, or at any other fixed price, there would be a long queue of buyers for an unlimited license to spam and phish.

The certificate proposal is the worst possible solution for small senders. A certificate that provides unlimited privileges would be also unobtainable for most senders. An egalitarian certificate that provides privileges commensurate with a risk assessment, monitored in real-time and tied to volume, is well … CertifiedEmail.

A one-time accreditation is only the first step with the CertifiedEmail service. Privileges and token allocations are assigned carefully; each message is individually tracked; sending and complaint profiles are built and monitored; alerts are issued; privileges are revoked – all that to safeguard the system’s integrity and to protect the consumer on the receiving end. Furthermore, to protect privacy, it is all done without Goodmail being ever exposed to message content or to recipient addresses. This can’t be done for $100.

As noted above Mr. Templeton wrote:

If not, people aren’t going to pay, not this much.

To put things in perspective, let me quote John Rizzi, CEO of email service provider e-Dialog:

Assuming 0.25 cents is the cost, an average mailer that mails twice per month will pay 6 cents a year per address. That’s 6 freakin’ cents. If you break it down per recipient, it’s nothing. I think anybody who looks at that and says, ‘hmmm, my customer isn’t worth 6 cents to me,’ ought to look in the mirror and see a spammer looking back.

AOL has announced a FREE delivery service for nonprofits. Goodmail has announced it will subsidize nonprofits and offer a 90% discount to nonprofit organizations wishing to use CertifiedEmail. I suspect some “coalition” members are not opposed to the pricing (can you beat “free”?!) but rather to the other qualifying aspect of the outlined policies: you can’t continue to spam.

Daniel Dreymann, Goodmail Systems

Quoting Hector Santos:

I think you have a 7th entity or maybe a variant of #1

- 7. User solicited Vendor Contact/Contract

This is different from #1 because there is little expense here. The user is solicated information or possibly joined a company new product mailing list.

The company may not have an operation or cost to determine if the user is indeed getting the mailings. The only cost is producing the content and pushing a send button to this “exclusive” direct market of user/vendor contacts

I don’t believe this class of email is considered ‘bulk’, and therefore is not subject to the same checks at AOL. But I can’t speak for them - so I’d better not…

Peter

Quoting Brad Templeton:

What they’re paying for is preferential handling only in the context of a service that was deliberately degraded, to use a vocabulary from earlier in the thread.  They’re really paying for the sort of handling there were supposed to get in the first place, at no extra charge

The service that the email sender is enjoying was ‘deliberately degraded’ in a way that the ISP, on behalf of the paying customer, has determined. Any such paying customer must surely be considered as having agreed to such a ‘degradation’ by continuing to use the service.

(Both the ISP and the paying customer probably would classify the ‘degradation’ as an ‘enhancement’, anyhow).

There’s no valid expectation on the part of the email sender of any particular level of service, unless they’ve entered into a contract for such - enter Goodmail. For the first time, an email sender can contract for a level of service.

(I haven’t seen Goodmail’s terms of service, and I’m certainly not qualified to interpret them)

Peter

Mr. Dreymann,

In essence, your system is indirectly “taxing” legitimate business operations who are contacted by AOL.COM users.

I have reviewed your “How It works” system, it is a purely inbound concept. It doesn’t have, or I don’t see it, any automatic consideration for the outbound initiated process when the USER itself has made the initial contact to the outside world. 

Many systems, including our mail server will automatically and temporarily “white list” a target email domain that the user is sending mail to.  This allows the address to obtain immediate “acceptance” consideration when a REPLY is made back to the user. I do not see this consideration in your design.

Since the odds are good, especially in a business environment, the response will contain “tags” that might trigger a spam filtering system, in order to justified the cost of your system, the priority of these filters will be raised.  Otherwise, how do you maximize your profits?  AOL has to prioritize filtering when non-CertifiedEmail is received.  That’s a no-brainer and a given.

So how do you handle systems that have no interest in unsolicited mail operations, but are simply responding to user’s request?  I don’t see this consideration in your design.  According to CAN-SPAM, complaint systems with user-vendor contracts have a right to do business.

In addition, on a related technical note, the same issue I see with DKIM and DOMAINKEY, the importance or added-value given to filtering online hosted user mail is great.  That is very important.  But what if the mail coming from this GOODMAIL systems that do not have tags?  Should we reject them? 

What if a user is roaming or on vacation and is using his AOL account from another non-AOL server, yet certified using other technology, to deliver mail, what assurances do you have that you are not hurting the users that want to non-certifiedEMAIL receivers but have learned that AOL.COM is part of the system and uses this fact as a filtering rule?

Finally, you have same the chicken and egg problem that all 822 based technology suffer from.  You are most definitely “taxing” the network and receiver systems by now having to receive 2822 data blocks when the majority of all emails are malicious or unwanted.

Please note, I am not down playing your system. I’m sure it will have its place in the market.  It was predicted many years ago and it was just a matter of time when one of the larges ISP will take the plunge.  But to suggest or imply it will not have a negative impact and quite possibly detrimental effect on systems that not part of the GoodMail network is short in vision and understanding of the true nature of the email infrastructure.

Hector Santos, CTO
Santronics Software, Inc.
http://www.winserver.com

Mr. Santos,

Thank you for the note. Answers below.

In essence, your system is indirectly “taxing” legitimate business operations who are contacted by AOL.COM users.

We provide another option for these businesses to assure their messages go through and are perceived as legitimate by consumers. You do not have to use it. If you get good results today, if your messages are not blocked, if they don’t land in spam folders, if your customers never mistakenly take your good message for a phish, if they never fall for a phishing scam pretending to be from you – then you REALLY don’t need to use CertifiedEmail. You are not taxed; you don’t need to use our services. As repeated ad nauseam: no ISP will purposely block messages they suspect recipients want. That would be suicidal for them. If you reply to an aol.com message with a (non-certified) message of your own, nothing changes for you because AOL deployed CertifiedEmail.

Many systems, including our mail server will automatically and temporarily “white list” a target email domain that the user is sending mail to.  This allows the address to obtain immediate “acceptance” consideration when a REPLY is made back to the user. I do not see this consideration in your design.

We do not replace any infrastructure at the ISP, CertifiedEmail is an additional layer. In fact I assume some ISPs about to deploy CertifiedEmail may already do what you describe. Clearly, using CertifiedEmail doesn’t stand in their way.

AOL has to prioritize filtering when non-CertifiedEmail is received.  That’s a no-brainer and a given.

Yes there is a priority: you don’t go through filters, you get a visual certification mark displayed to the recipient and you get accurate reporting back. This is over and beyond what a sender gets today with non-certified messages. Purposely degrading treatment of non-certified message makes no economic sense: any revenue from CertifiedEmail will be dwarfed by losses stemming from churn with dissatisfied customers leaving the ISP in droves.

So how do you handle systems that have no interest in unsolicited mail operations, but are simply responding to user’s request?  I don’t see this consideration in your design.  According to CAN-SPAM, complaint systems with user-vendor contracts have a right to do business.

Again, we do not replace any ISP’s infrastructure. We are an overlay. And please, stop saying our system caters to unsolicited mail. Please read our AUP.

In addition, on a related technical note, the same issue I see with DKIM and DOMAINKEY, the importance or added-value given to filtering online hosted user mail is great.  That is very important.  But what if the mail coming from this GOODMAIL systems that do not have tags?  Should we reject them?

Absolutely not. You give such messages the same treatment (or better as filtering technology improves) as you give them today. CertifiedEmail will boost a consumer’s email experience but competition between ISPs doesn’t stop with the introduction of CertifiedEmail. They will all continue to improve.

What if a user is roaming or on vacation and is using his AOL account from another non-AOL server, yet certified using other technology, to deliver mail, what assurances do you have that you are not hurting the users that want to non-certifiedEMAIL receivers but have learned that AOL.COM is part of the system and uses this fact as a filtering rule?

I repeat: Non-CertifiedEmail is not filtered out. Non-CertifiedEmail is not filtered out. Non-CertifiedEmail is not filtered out.

Finally, you have same the chicken and egg problem that all 822 based technology suffer from.  You are most definitely “taxing” the network and receiver systems by now having to receive 2822 data blocks when the majority of all emails are malicious or unwanted.

Sorry but this is wrong. If you don’t send CertifiedEmail, the adoption of CertifiedEmail by a recipient has zero influence on your infrastructure. You will not get back any data blocks. Zero, nada, zilch.

Best,

Daniel

Mr. Dreymann,

Hmmm, I never said or wrote your system catered to unsolicated mail?

What I said and I will paraphrase it:

  The ISP/ESP system using a GoodMail System will prioritize
  non-CertifiedEmail messages in the filtering process. 

I believe you admitted to this as much.  This is clearly illustrated in step five through seven of your “How it works” diagram. 

In addition, what I pointed out is that your system has no consideration whatsoever to whether incoming mail is solicited or not by the users.  You answered to this is an ISP local policy or implementation consideration.

If this is not the case, then your system can hurt user solicited mail response transactions from non GoodMail certified mail senders.  In other words, your systems puts non GoodSystem senders in harm and you might be liable if you neglect to inform your ISPs to implement an automatic whitelist concept (like a step before 5 that involves a local policy concept).  Why? Because you have been made of this today, therefore ignoring this any further is intentional neglect.  But don’t listen to me. Speak with your chief council about this.

The defense is if AOL does not change the non-CertifiedEmail filtering process. However, is this is enhanced, prioritize or changed, then I see problems down the road for your guys if you don’t incorporate a automated whitelist concept as part of the total GoodMail implementation operation.

Nonetheless, the debate centers around the effects of your system which I believe you wish to deny will exist, as if this system will plug right into an ISP system and have no affect whatsoever to all the external points.  Its unrealistic.

Finally, the point about the 2822 data blocks is best illustrated by example.

Now that AOL.COM is going to implement this Goodmail system, should we expect mail coming from AOL.COM to be certified?  If a system has to pay GoodMail to send mail to AOL.COM accounts, when should we not expect AOL.COM to be certified itself?  Should we charge a fee to AOL.COM to accept non-certified messages?

Receiver systems could implement scoring rules to check on the GoodMail stamps at the DATA stage.  If the tag is missing, this could a deterministic action for rejection.

If certification is optional for AOL.COM incoming mail, you done nothing to improve the process but just add more bandwidth and a new threat entry point of “Fake CertifiedEmail” messages.  This is already happening with DKIM and DOMAINKEY. There is no reason to believe it will not happen with your system as well. 

The only way to 100% validate the AOL.COM messages coming in would be part of your network. 

Here is a proposal I think your system can benefit from. It would be a compromise with SMTP vendors as well as mail operators of all sizes:

Make the CertifiedEmail Validation process an open process for any SMTP vendor to implement.  The Signing or Imprinter process would be a customer added-value purchase option.  But at the very least, you will give SMTP developers and Mail systems some power to validate AOL.COM or Goodmail tagged incoming mail.  Validating incoming mail should not be a FEE-BASED concept.

What do you think?

Hector Santos, CTO
Santronics Software, Inc.
http://www.santronics.com

Notes on several points:

a) It’s good that AOL and Goodmail plan to have subsidies for non-profits. But remember what we’re particularly concerned with is the extrapolation of this out to most ISPs. Will they all do this? Will they all use Goodmail? Will there be competition in the space? Will all bulk mailers have to get accounts with all the services, and go through a registration process and have their email activities monitored? (That includes me, I have 400 people on my social list for mailings 3-4 times a year. Perhaps just $4 at Goodmail price so the real cost is the signup and monitoring and associated fees.)

For more details of all the things that can go wrong with e-stamp systems see http://www.templetons.com/brad/spam/estamps.html

b) Charging the senders of data, be it E-mailers or Google, is an issue any time it’s proposed because it breaks the internet cost contract.

http://www.templetons.com/brad/spam/shared.html

c) The mail service was, in general, degraded because the customer asked for it, but of course the customer did not ask for legitimate mail to be blocked. At best (if they are even aware of the ratios) they begrudgingly accepted that in the attempt to block spam, they would lose some real mail. Sometimes they get quite upset when they learn this happens, with the classic example being the Harvard acceptance letters AOL blocked many years ago.

Many people, it turns out, have totally non-published email addresses that get zero spam. I have large numbers of these myself. They have no spam filtering on them. The AOL users in the same boat have no desire for this degredation, nor to have to pay (indirectly, if it’s from companies they do biz with or charities they donate to) for the Goodmail certification and delivery guarantee.

d) As for the costs of certifications of various levels, that’s not a problem. Goodmail and AOL would be well served to drop the per-email price model and focus on the certification business, and to do so using open IETF standards so that we can have a competitive marketplace with competitive prices. I understand the attraction of doing discriminatory pricing based on e-mail volume, but it’s a rathole, as one would hope you have seen by now. It’s bad precedent, requires monitoring of individual mails rather than just a complaint system and has many other flaws.

(Sorry about formatting, I wrote this in a regular text editor but CircleID doesn’t seem able to handle it.)

Dear Mr. Templeton,

Good points, I’ll do my best to address them:

a) It’s good that AOL and Goodmail plan to have subsidies for non-profits.  But remember what we’re particularly concerned with is the extrapolation of this out to most ISPs.  Will they all do this?  Will they all use Goodmail?  Will there be competition in the space?  Will all bulk mailers have to get accounts with all the services, and go through a registration process and have their email activities monitored?

Excellent questions. Shouldn’t we let the market decide how many such services are needed and see how broad is their adoption by senders?

That includes me, I have 400 people on my social list for mailings 3-4 times a year.  Perhaps just $4 at Goodmail price so the real cost is the signup and monitoring and associated fees.

I don’t see why you would certify your messages. Your volume is so low that I doubt you run into problems with filters. Is there anybody out there phishing your social list, sending messages pretending to come personally from you and soliciting a donation? The token price includes “monitoring and associated fees”. We will also have a very modest accreditation (“signup”) price for very low volume senders that still wish to enjoy the benefits of CertifiedEmail. Should you decide to become a CertifiedEmail sender, your cost is going to be absolutely negligible vs. other costs associated with sending email (internet access fees, hardware, software, ..).

b) Charging the senders of data, be it E-mailers or Google, is an issue any time it’s proposed because it breaks the internet cost contract.

Where is the “internet cost contract” when a spammer sends 20 million unwanted messages and gets none in return?!  We are not talking about a symmetrical exchange between ISPs (I’ll send you mail, you’ll send me mail, we’re both happy) but about a terrible asymmetry where some senders abuse the system. As a result, receivers got defensive and false positives became inevitable. CertifiedEmail is one attempt to fix part of the problem.

The only contract that counts is the one an ISP has with its subscribers: I’ll do my best to give you the messages you want and to block those you do not.

c) The mail service was, in general, degraded because the customer asked for it, but of course the customer did not ask for legitimate mail to be blocked.  At best (if they are even aware of the ratios) they begrudgingly accepted that in the attempt to block spam, they would lose some real mail.

This depends on one’s definition of “degraded”. If most consumers say they’d rather lose a message occasionally than be spammed and phished to death and if ISPs heed the call and install filters, then by that definition the system is not degraded – the service is actually improved. Having said that, any wanted message that is not delivered hurts the sender, the recipient and, consequentially, the recipient’s ISP. CertifiedEmail is a tool that helps reduce the inevitable collateral damage resulting from the war against spam and against phishing.

d) As for the costs of certifications of various levels, that’s not a problem. Goodmail and AOL would be well served to drop the per-email price model and focus on the certification business, and to do so using open IETF standards so that we can have a competitive marketplace with competitive prices.  I understand the attraction of doing discriminatory pricing based on e-mail volume, but it’s a rathole, as one would hope you have seen by now.  It’s bad precedent, requires monitoring of individual mails rather than just a complaint system and has many other flaws.

There is nothing more egalitarian than charging volume senders based on their volume. The costs associated with the service we provide scale with volume; asking a large retailer with a mailing list of 4 million addresses to pay the same as little bike shop with a list of 10,000 faithful customers makes no sense at all. As an analogy, you probably know that most volume senders outsource their email campaigns to Email Service Providers (ESPs) who send email messages on their behalf. Paying a volume-based fee is not one of the models there, it is the only model. There are no IETF standards for what we do; we will gladly embrace them if and when they come.

I must say that after spending a couple of weeks answering absurd allegations (the “tax” meme comes to mind) I find it refreshing to engage with you in a reasonable dialogue about the merits of CertifiedEmail. I thank you for that.

Best,

Daniel

Mr. Santos,

Hmmm, I never said or wrote your system catered to unsolicated mail?

You wrote “So how do you handle systems that have no interest in unsolicited mail operations, but are simply responding to user’s request” which I may have misinterpreted as implying CertifiedEmail is about unsolicited email. Sorry.

If a system has to pay GoodMail to send mail to AOL.COM accounts, when should we not expect AOL.COM to be certified itself?  Should we charge a fee to AOL.COM to accept non-certified messages?

First, I need to clarify again: you do not NEED to pay Goodmail to send mail to AOL. You can keep sending uncertified messages forever.

CertifiedEmail is for known legitimate senders accepting our AUP. No ISP with millions of subscribers can vouch that all persons subscribed to their services are good players. So the answer to your question is “no”: messages sent by individuals at an ISP will not be certified.

Here is a proposal I think your system can benefit from. It would be a compromise with SMTP vendors as well as mail operators of all sizes:

Make the CertifiedEmail Validation process an open process for any SMTP vendor to implement.  The Signing or Imprinter process would be a customer added-value purchase option.  But at the very least, you will give SMTP developers and Mail systems some power to validate AOL.COM or Goodmail tagged incoming mail.  Validating incoming mail should not be a FEE-BASED concept.

What do you think?

This is no compromise for us. We never intended for validating incoming mail to be fee-based nor did we ever intend to make any money from the technology we provide to MTA vendors. Our sole source of revenue is the certification service we provide to senders.

We make available, free of charge, specifications and source code both for token checking (receiving side) and for token imprinting (sending side). For a list of vendors integrating our technology in their MTAs, please visit the partner pages on our website. At this stage, we still engage and actively interact with each partner (limiting our ability to work with a large number of technology partners) but in the coming months we will make the process even simpler and you will be able to easily download documentation and code.

Best,

Daniel