How Not to Sell Stuff to Me

Standard

I’m currently in Return Path’s Colorado office, finishing up three days of talking, planning, and starting to get to know the people I hadn’t met before. Starting tomorrow I’ve got three days of hiking, climbing, and hanging around Colorado in a non-work capacity, which makes for a really good week all together..

Because I’m in Colorado, and because the creaky old powerbook that I grabbed as I was running out my door has a mysteriously screwed up copy of VNC on it, I’m stuck accessing my company’s exchange server via the Web interface, which is kind of like…well, it’s kind of like something really irritating. No way to sort messages, no easy way to choose how many messages to view in a window, slow…all the stuff that people always complain about. Net, accessing email is a bit of a chore right now, so I’m not pleased with having unnecessary messages in my inbox.

Into this mood comes a helpful email sent by my company’s sales rep at a major computer manufacturer. As usual, it’s a notification of the wonderful special offers that they have available now, mailed out to everyone in that rep’s address book. These messages irritate me at the best of times: if I wanted ads from them I’d sign up for a newslettter. If the rep notices that I’ve bought a half dozen of their 2650 servers in the last couple of years and wants to make an effort to sell me some of the new 2850s that they’re pushing now, that’s fair enough. I expect that a sales rep is going to check in with me periodically and try to convince me to buy things I don’t yet know I need…that’s their job. I don’t, however, expect to get a homemade, multi-colored, big font abomination of an ad for every random little thing that the company has a discount on this week. Not good. Doesn’t make me buy things.

Now what made this message even better was that the salesperson accidentally used CC rather than BCC to spam their clients, so I now have a handy dandy list of contacts with purchasing authority at other small to mid-size businesses. This was simple operator error, which I can completely understand, but in this case it just illustrates why this approach to email as a sales tool is a really bad idea. There are lots and lots of tools out there to handle mass email communication that are designed to minimize this sort of error. Many of these tools also allow you to track when you last contacted these people, group and mail to them based on buying habits or other information that you choose…these tools are designed to allow you to use email intelligently, as part of a sales process.

There’s a whole other post in the various (mature and otherwise) responses that were then sent via the “reply all” button, but I’m too busy deleting them all (very sloooowly ) to bother right now. Use your imagination. See you all in a few days.

The Spam I’m Not Seeing

Standard

So as we all know, AOL has acquired Mailblocks, the challenge/response spam filtering company that incidentally holds a bunch of apparently questionable patents covering the use of challenge/response for email filtering. Yeah, well, whatever. So in early 2005 AOL will offer another ca. 2003 spam filtering tool to any subscribers they might still have. Again, let me say: whatever.

It’s interesting, though, how effectively challenge/response has managed to maintain a sort of minor “up and coming technology” status in the face of a gigantic collective yawn on the part of its potential user base. Nobody bothers to use c/r. Seriously. I say this not only because I can’t remember when I last got an email challenge, but also because of the compelling evidence of the spam that I’m not seeing.

Whatever else they may be, spammers are reactive. Spam changes — and changes quickly — in response to each and every attempt to stop it. Admins start blocking the machines that send spam? Spammers figure out how to effectively distribute their spam sending chores across many machines. People start filtering based upon words frequently used in spam? Words like “v1@gr@” and “|S|L|U|T|S|” are coined. People create smarter methods of identification, like collaborative message fingerprinting and bayesian analysis? Enter the randomizers: random words, paragraphs from books, and miscellaneous other text appear in spam.

So what does that have to do with challenge/response? The spam that I haven’t yet seen is a message something like this:

###
To: somebody@example.com
From: verification@legitimate-sounding-domain.com
Subject: Please Authenticate your Message

You recently sent a message to a Legitimate Sounding Spam Stopping Tool user. Your message has been quarantined, and will not be delivered until you click the link below to verify that this message is not spam or automatically generated bulk email. You will only have to do this once, after which any messages you send to this user will be automatically delivered to their inbox.

http://verification.legitimate-sounding-domain.com/foo=sk3ndk3jalkejk4

Thank you,
The Legitimate Sounding Spam Stopping Tool Team
###

If you click the link above, you’ll see the potential problem here. If I’m a really clever spammer, I’ll just copy the text used by some legitimate challenge/response system for my fake messages. If I’m an extra-special clever spammer, I’ll tie this into a nice little worm of some sort, which would allow me to use the infected machine’s address book to send out “verification” messages that include an email address that the recipient is likely to recognize. Cool, huh?

The day after c/r systems become popular (assuming that ever actually happens), I fully expect to see these messages…and because I haven’t seen them, I just don’t think that c/r is commonly used yet. It’s interesting, actually, because just a couple of biggish spammers doing something like this could make c/r completely worthless. Every time you clicked on a challenge link it’d be a crapshoot, which takes challenge/response from “minor annoyance” all the way up to “way more trouble than it’s worth.”

Maybe I’m giving spammers too much credit. Maybe challenge/response is being widely used, and spammers are just too dim to have figured out this approach. Hmmm…maybe I should have filed for a patent on this before writing this post — this could be a gold mine! Got to go, there’s work to be done…