Home / Blogs

EFF on Goodmail: Further Confusing an Already Confused Issue

Cindy’s piece on the EFF website seems to be a bit of a pastiche, with elements taken out of various articles (some outright wrong, some merely misinformed) that have been doing the rounds of the media for quite a while now about Goodmail.

She started off comparing AOL and Goodmail with the old email hoax about congress taxing email. That same line was used in a CircleID post by Matt Blumberg, CEO & Chairman of Returnpath (technically one of Goodmail’s competitors though they are in a slightly different space)

Various other quotes from different places - Richard Cox from Spamhaus on CNN for example.

However a lot of the quotes in those articles are being based on wrong or out of context assumptions, starting with one that goes “AOL is going to remove all its existing whitelists and force people to use Goodmail”.

This article has been written by the simple expedient of copying and pasting together articles from media and using second hand quotes from various people instead of getting quotes from them directly…

...and then stirring the pot a bit more, by calling Goodmail a “shakedown” of people operating non-commercial mailing lists, and then using the good old slippery slope theory to imply that people cant even email their relatives at AOL without getting a Goodmail stamp.

I have several questions that still need answering about Goodmail, because it is a proprietary system and so far being used on two closed and highly customized mail systems (Yahoo and AOL) where they control the user interface as well (Yahoo! webmail, AOL’s email program). Oh, and because I’m buried in work and haven’t had the time to dig deeper than this yet.

And, so far, I have not been very much impressed by Cindy and other EFF posters efforts to prove that spam filtering is bad and infringes on free speech, on IP, Politech and elsewhere.

But even if I were to leave all that context out of my comments there, that EFF posting is not a balanced story, it is a hatchet job. Cindy’s not doing any service to herself, or to the EFF, by posting that.

Dave Crocker wrote:

And that is what the recent announcement is about. It concerns a means of ensuring delivery of “transactional” mail. This is quite different from “marketing” mail and it is not in the least controversial.

Bank statements. Air tickets. And other stuff that is sent to millions of people who have asked for it, who need it to catch their flight, or get a loan, and sometimes don’t get it because it gets mistaken for phishing email, quite frequently by the user himself (you’d be surprised how often that happens, but quite probably, as you have operated a list for years now, that is not going to come as a surprise) :)

So, banks, airlines etc decide to pay a bit extra to get a Goodmail cert, that AOL’s email software then translates to a seal of some kind that says its valid email. And further, trusts Goodmail’s vetting of people who sign on enough to not subject email from Goodmail users to further filtering. I don’t know what Cindy thinks, but well, I’d love to know, for SURE, that email claiming to be from my bank is actually from my bank… and I’d sure appreciate having a copy of my ticket with me for sure before I go catch a plane.

What’s missing (and indeed, doesn’t belong) in this picture? Surely not Aunt Tilly emailing her relatives, or Dave and Declan running mailing lists for thousands of people over a decade?

That’s a bad strawman to raise, Cindy. An even worse one than the ones You have raised so far. And your tone’s getting way too strident for you to turn out anything that’s balanced and factual.

Disclaimer if people need it - I’m not affiliated to and as of now dont have plans of using where I work - an email provider that’s just over a third the size of AOL, with about 40 million users

By Suresh Ramasubramanian, Antispam Operations

Filed Under

Comments

Eric Thomas  –  Feb 11, 2006 7:48 PM

I don’t know what Cindy thinks, but well, I’d love to know, for SURE, that email claiming to be from my bank is actually from my bank…

Well, but this is what DomainKeys is all about, and it’s free. It’s also based on open standards, and far more widely implemented than Goodmail.

Daniel T. Dreymann  –  Feb 12, 2006 12:13 AM

Eric,

Your comment above shows that it’s not only Goodmail that you don’t understand (as exemplified by your offensive “Goodfellas” press release) but also DomainKeys. DomainKeys is a solid domain authentication technology which in no way competes with Goodmail’s service. As a matter of fact, Goodmail is very supportive of DomainKeys and of Sender ID. We are on the steering committee of Authentication Summit II.

While intrinsically a very useful tool for ISPs, when used stand-alone, and “free” as you point out, DomainKeys does little to protect the end user. I personally own the domains citigroup-online.com and bank-ofamerica-online.com (check them out with WHOIS) does this mean I am Citibank or BofA? This is why no provider I know of is contemplating adding a trust mark next to messages that passed DomainKeys checks.

DomainKeys can be coupled with what Dave Crocker calls a “vetting agency”. We can debate the relative security of such a mechanism but in comes the “vetting agency” and out goes “free”.

Good security does not come free.

Daniel

Suresh Ramasubramanian  –  Feb 12, 2006 12:57 AM

Domainkeys (and most likely DKIM when it comes through the IETF process) is a solid and well designed authentication mechanism.

There’s no element of reputation there - reputation of a sender that signs with DK is determined by the recipient

And that sometimes doesnt scale too well. So you outsource some of that reputation vetting to a third party.

You could  use something like the PGP web of trust for that - but that’d mean “we’re a large ISP like AOL, we trust sender X, so AOL can trust them as well”.  That might work, given some thought and application.

On the other hand, there’s a different way - where you trust one (or two, or three, etc) reputation vendors, who take on the responsiblity of vetting senders to ensure they conform to a strict set of criteria (confirmed optin lists, bounce management to scrub bouncing users, privacy policy vetted to make sure that lists maintain their integrity and are not leaked to third parties etc etc).

Goodmail seems to do both authentication of some sort - a crypto based token somewhere in the headers - as well as reputation.

You can probably combine that with DKIM, or spf / sender id (though I see no logic in combining this with spf or sender id, personally speaking .. dkim sounds like a far better fit).  Daniel Dreymann can probably explain that better.

-srs

Suresh Ramasubramanian  –  Feb 12, 2006 1:23 AM

Looks like the EFF party line is that this is basically blackmail.  Now Brad Templeton is on the shakedown theme as well .. http://www.interesting-people.org/archives/interesting-people/200602/msg00107.html

Then there’s cindy’s followup on IP, talking about why she thinks its blackmail -
http://www.interesting-people.org/archives/interesting-people/200602/msg00091.html

As usual on EFF posts about spam, they talk about moveon.org political action email campaigns getting blocked by ISPs.

The EFF’s done a lot of good things. But they’re simply way wrong in their single point agenda “spam filtering is bad and is a restriction on free speech”. Especially when their two favorite examples of this restriction are a chronically open relay that keeps getting abused, and a political action site with poorly managed mailing lists.

In other words - I do wish they’d stop talking absolute nonsense. I’m reasonably sure there are several far better arguments against using goodmail than “this is blackmail”

__________________

>
>>>From: Cindy Cohn

>>>
>>>Ultimately because Moveon.org is famous, and they know me,
>>>and I know Microsoft’s lawyers, I was able to get them to
>>>back off.  Bonded Sender is an especially bad idea for an
>>>organization that has enemies.  Every time someone reports
>>>you as a spammer your bond gets debited and they have grossly
>>>insufficient processes to investigate and put the money back
>>>if you claim that it’s politically motivated.
>>>

Politically motivated?  All of them?  Moveon is not exactly noted for good list management.

Like for example, I’d like to know how politically motivated our tech
support staff in Hong Kong was, for them (or rather our tech support
email address) to get invited a couple of years go, in a moveon email to
come participate in a rally outside the white house.

I wonder if moveon thought they were going to pay for airfare + hotel bills for 10 people all the way from hong kong to the united states .. especially when none of them can vote in a US election. I fail to see
how or why they would be interested in rallies outside the White House.

Sending unsolicited bulk email doesnt become any more right because its a political action email rather than an email selling fake diet pills.

And if the EFF’s statements on this issue are all based on that extremely skewed and limited view (and possibly on John Gilmore’s famous open relay getting blocked and taken down because spammers were hard
coding toad.com mailservers as the relay in spam programs and into viruses) .. then I am afraid that what I wrote before in my followup on politechbot holds even more good. http://www.politechbot.com/2006/02/09/two-responses-to/

Now for a brief overview of the issue.  It started out with a lack of understanding of terminology that AOL people used, and which got quoted well out of context in a Direct Marketing Association article, and on the internet marketing newsletter clickz.com, Many people participating in these groups dont like spam filtering all that much, and see it as a hindrance in (as the former DMA chief bob weintzen put it) emailing a coupon for Tide detergent to every household in America.

And then have an article based on wrong assumptions and misinterpreted facts pushed all around the media.  With mass hysteria about a big corporation stiffing people who want to mail their users.

The EFF hasn’t helped at all with Cindy Cohn calling this is a way to “shake down” non commercial email list operators like Dave Farber, or Aunt Tilly sending out her christmas greetings, into buying a online
stamp for whitelisting.

Eric Thomas  –  Feb 12, 2006 8:29 PM

Daniel,

I am surprised by your claim that I do not understand either DomainKeys or Goodmail, and that my Goodfellas press release should somehow be evidence of the latter. I have re-read that press release, and cannot find any comments on the merits of Goodmail’s technology. I was complaining about the announced phase-out of the AOL Enhanced Whitelist (now reversed) and the implication that I would have no options but to become a Goodmail customer at that point, to the tune of $10,000-40,000 per day, which is several times what my customers pay for the entire service. I was commenting on the risk that this could turn Goodmail into a de facto monopoly. I did not say anything about Goodmail’s technology because it was simply not relevant. I have no idea how you conclude that that the press release is evidence that I do not understand your technology.

You then go on saying that I do not understand that DomainKeys does not and cannot compete with Goodmail’s service, but admit that DomainKeys could be extended to be coupled to a ‘vetting agency’. I was the first to suggest this extension, precisely because I think it is a shortcoming of DomainKeys that it cannot compete with services like Goodmail’s. There are good things in Goodmail’s technology and I want them available through an open standard.

I disagree that vetting cannot be provided for free. There are community-run blacklists today, there could be community-run or sponsored vetting services, too. Perhaps you will get what you pay for, but that is another story.

Anyway, free vs pay is not the problem, the problem is the magnitude of the fee. I am confident that vetting can be provided for the same kind of fee as SSL certificates, once an open standard exists. This would bring it within the reach of almost everyone. And I don’t mean just e-mail marketers.

Eric Thomas  –  Feb 12, 2006 9:05 PM

Suresh,

As long as Goodmail (or anyone else) is the sole provider for AOL and Yahoo, there is a risk of de facto monopoly. You cannot dismiss this argument on the basis that list such and such is not a good example because it is not run properly, or because person such and such is known for talking nonsense. To business executives, monopoly is a valid concern per se. We technical people are more concerned about the fact that these solutions are not based on open standards, which in a way is the same fear, just formulated differently.

Other than price and sole-supplier concerns, I like the Goodmail solution. We need to focus on concrete work towards an open standard vetting infrastructure that can allay everyone’s concerns.

Daniel T. Dreymann  –  Feb 13, 2006 4:55 AM

Eric,

I never claimed it is our technology you made no efforts to understand; it is our value proposition that you first denigrated (“Goodfellas”) and later belittled (“this is what DomainKeys is all about, and it’s free”). Your press release casts the optional premium service we offer together with our partners as extortion and your subsequent comments suggest there is a readily available, standards-compliant, and free of charge alternative. It took vision, a considerable capital investment, and may I say talent, to develop a comprehensive and secure CertifiedEmail system.

In your later comments you distance yourself from the position Suresh is criticizing in his article (the suggestion that it is evil to offer paid premium services). You go on to say you actually like the Goodmail solution but that pricing is a concern. You do state that with free services you might get what you paid for. I couldn’t agree more.

Now that the discussion moved away from debating ethics and ideologies to a practical analysis of return on investment we should let the market establish the right price point. We are not the exclusive solution for good marketers to assure delivery of their messages and to guarantee consumers won’t mistake their messages as junk or phish – we are simply the first. This is a premium service no sender is forced to use. It is Goodmail’s job to build value and to offer senders something they will want to buy. We welcome competition.

Peace,

Daniel

Eric Thomas  –  Feb 13, 2006 1:37 PM

I never claimed it is our technology you made no efforts to understand; it is our value proposition that you first denigrated (“Goodfellas”) and later belittled (“this is what DomainKeys is all about, and it’s free”).

Actually, it’s the other way around. I spent very little time studying your technology, mainly because there isn’t much technical information on your web site. I did spend substantial time reflecting over your value proposition, how it could be further improved and broadened in scope, and how it could be made available using open standards.

I think we both know that the ‘Goodfellas’ press release was about the announced withdrawal of the whitelist, not about Goodmail’s technology or value proposition. You are obviously free to use the release to rate my understanding of Goodmail’s solutions or predict lottery results, but this is not what it was meant for.

My comment that “this is what DomainKeys is all about,” which you are citing out of context, was directed at Suresh, not at Goodmail. I was pointing out, perhaps too briefly, not being used to web fora, that his bank example was not a very good one. My bank has gone out of its way to inform me that they will only ever use one domain to communicate with me, and they have made it very short and easy to remember. DomainKeys can be used to authenticate mail from that domain, and at least for me it is better than Goodmail, as I do not read my mail at AOL :-) If I get mail from any other domain, I will assume that it is a forgery.

Something we engineers keep forgetting is that not every problem needs a software solution. E-mail authentication is a problem that does need a software solution, but trust can be addressed by software or by “real world” means. There are time when the software solution is better and times when it is not.

All this being said, I find per-message certification fees distasteful, and I really hope that companies like D&B get into the e-mail vetting business so that we can purchase certification from a large international provider for a reasonable flat fee. As a nice side effect, I could look up potential customers before selling them our products, and see if they are known spammers :-)

Suresh Ramasubramanian  –  Feb 13, 2006 1:40 PM

I would stop far short of calling goodmail blackmail / extortion / goodfellas.

Their current monopoly is that they’re the “sole third party reputation vendor” - or in goodmail’s crypto based approach, they’re a CA for a trust / reputation seal - for AOL.

You can deal directly with AOL’s postmaster staff to remain on a very good level of whitelisting, which gets better if your mailing practices are good and you get low complaint volumes, which get dealt with ASAP through your feedback loop with them.

I have no idea what goodmail’s policy enforcement is going to look like (yes, I have a pretty good idea of the sort of criteria for a goodmail cert would be, because I have a good idea of what AOL’s policies for whitelisting are, and what our policies for whitelisting are). 

For that to happen, goodmail has to sign up a bunch of clients, they’ll have to mail out to AOL, and based on feedback from AOL users, goodmail would have to work towards modifying the client’s mailing practices, or terminate the client. Or something. 

And then people who are not AOL, or the sender, or goodmail, will have to know about that fact. Though there’s not very much reason that anybody outside AOL, the sender concerned, and Goodmail, will ever know what happened.

Shorn of all the implementation details about crypto tokens translating to a seal of approval in AOL’s UI, that’s effectively the shape any reputation vendor’s interaction with senders, and with ISPs will take.

And that is not too different from the approach other people in the space (returnpath and habeas, say) are taking.

Though, having a goodmail token in the headers may well provide AOL and Goodmail some better reportage on sender stats and complaint volumes than what a feedback loop would provide.  Again, not having seen any of these things, but having interacted with reputation vendors in the past in my role as an ISP postmaster, that statement is kind of an educated guess.

Coming to price points - I guess goodmail bills the sender rather than the ISP?  The ISP already pays substantially for the cost of working goodmail into their current engineering and postmaster procedures, building systems for it and having their postmasters check goodmail stats and then make decisions based on these stats ...

If so, _and_ if mailers who are targeted by this sort of thing decide that paying for goodmail works for them - the market can probably bear a rather high price initially, with the costs passed on to the mailer’s customers if necessary.  That’d probably change if AOL decides to accredit more reputation vendors to do this.

We’re kind of reputation vendor agnostic, ourselves - in that we dont endorse any single reputation vendor. We set up feedback loops + whitelists for most people who look like they’re sending enough solicited email to our users, and have low enough complaint volumes that it would be worth our time to whitelist them. 

At least two reputation vendors are setting up loops with us on behalf of their clients .. and well, in practice, what happens is that we tend to measure the reputation vendor’s reputation by the sum total of their client’s reputation. 

So if they have one or more clients with poor mailing practices and don’t fix this, it impinges on the reputation that vendor has with us. 

On the other hand if their clients dont generate appreciable complaint volumes, and if they actively work with the client to do things like improve list subscription and confirmation, bounce acceptance and handling, unsubscription, introduce confirmed optin and cut down on imported / third party sourced lists (quite often a source of higher than average complaint volumes..) then well, we tend to listen to the reputation vendor when they next approach us on a client’s behalf.

There’s ZERO difference however between how we would deal with a sender of bulk email if they approached us directly, or through a reputation vendor.

With us though, things get much simpler as we dont have or use a bulk folder. So it is either a straight path to the inbox, or an smtp rejection at the gateway.

—srs

Suresh Ramasubramanian  –  Feb 13, 2006 2:06 PM

Eric, I guess you’re just lucky to have a bank that’s clueful enough to know how to handle email.

My bank (HSBC in Hong Kong) just doesn’t send me any email at all. Any communication I have with them is either by post / fax, or using a webmail interface on their password protected online banking site, that seems to feed into their support ticketing system.  And I have to use an RSA secure-id device to login to the bank website.

Several banks do send lots of email - including statements -  to their customers. And they do funny things with their email that make their customers very very confused even with valid email .. like for example using a check and statement processing vendor with a completely unrelated domain name, to send email using the bank’s domain name - both transactional email like statements (basically an email with a pdf attachment packaged in an encrypted zip file, the password of which can be calculated using your online banking password), as well as marketing (such as announcing new schemes / offers the bank sends its customers).

Ditto airlines - quite a lot (but not all) the marketing / transactional email I get from Lufthansa (with whom I have a frequent flyer account, so things like my freq flyer statement and “cheap tickets to rome for the holiday season” emails) comes from a domain lufthansa.ruk1.net .. well, I know that ruk1.net is owned by Responsys, an email marketing service provider that sends out email for a whole lot of large companies.

It is quite doable with dkeys but it’d take a bit of work (coordination, mainly) making sure that they all sign outbound email so that email from different sources is provably that of the bank, or airline, or whatever sending it out.

Goodmail’s idea is a good one. Right now, instead of AOL being the monopoly on maintaining their whitelist, people have a choice of going through either AOL or goodmail. And I would guess that AOL sets up loops for the other reputation vendors, as they do for anybody who asks - though they dont endorse any other reputation vendor in particular.

Eric Thomas  –  Feb 13, 2006 2:46 PM

Actually, my bank doesn’t send me much mail at all. They’re just scared that someone else might send mail “from” them, and probably have plans to start using e-mail more aggressively. Today, like your bank, they want me to log in and use their web ticketing system, and if I do that, an anonymous 1-800 operator promptly supplies a marginally useful answer which, if incorrect, nobody will accept responsibility for. But you can just e-mail your account manager instead, and he’ll actually thank you for not making him use the ticketing system :-)

Anyway, I’ll be the first to say that there is a lot of chaos today. Many senders can’t even communicate coherently from a single domain (not necessarily because they use third-party services, sometimes different groups just use different domains - a common problem in industries with frequent mergers). But frankly, if a bank signs up with a certification provider for that reason, what they need is a new IT manager. Most ESPs will allow you to use your own domain, and most marketers will tell you that coherent communication improves ROI. This is a good example of a problem that should not be solved through software :-)

Suresh Ramasubramanian  –  Feb 13, 2006 2:59 PM

Eric, sometimes, new IT manager or not, it’s probably rather cheaper and more useful for the bank to pay a reputation vendor of some kind and possibly use a path agnostic auth system like domainkeys / dkim, or goodmail for that matter - which does seem dkeys like in that it uses crypto tokens embedded in headers. 

Probably far easier for a new IT manager’s sanity when he’s dealing with a multi tentacled group of domains all running on different MTAs and with a non centralized userdbs .. as well as the security issues of punching holes through their firewall for 3rd party vendors to suddenly start using their email systems :)

ps - I’ve found hsbc’s support staffers quite competent and professional when i’ve had to contact them using their webmail interface.  Maybe a change of bank is in order ;)

Peter Bowyer  –  Feb 13, 2006 9:48 PM

Most people would agree that from a non-technical user’s perspective, the ability to have an indication next to an email from the bank which assures them that the email in question has, according to some pre-defined publically-available mechanism, been verified to have indeed originated at the bank or at an agent of the bank, is definitely a Good Thing.

AOL’s agreement with Goodmail says nothing about spam, but plenty about the fact that the mass market is ready for an authentication and reputation system, and that major players consider that there are folks out there willing to pay for it (presumably some market research took place).

Proponents of Domainkeys/DKIM should be very pleased at this, since it adds real-world credibility to the solution model.

As Daniel has already stated in an earlier comment, Goodmail is a player in the Domainkeys world and supports the development of the technology. One might hope that Goodmail will consider moving to DKIM from its current proprietory technology, leaving the reputational service as its USP.

So, what’s bad about ISPs representing ‘50% of the mail reaching the inboxes of U.S. consumers’ (from Goodmail’s website) offering a service based on CertifiedEmail?

I think we’re left with the issue of risk involving a single source of reputation - and one which only considers senders headquartered in the US (contrary to some opinions, not all email originating outside the US is automatically suspect). That’s what Goodmail needs to work on, and that’s also what widespread adoption of DKIM will fix.

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

DNS

Sponsored byDNIB.com