----- Original Message ----- From: "Declan McCullagh" To: <[email protected]> Sent: Monday, February 05, 2007 4:38 PM Subject: [Politech] Libertarian group "Downsize DC" gets blacklisted by AOL[fs]
: Jim Babka, the president of the Downsize DC Foundation, added this to : the below blog entry in email today: : : "The last couple of weeks have been a nightmare. Why? Because America : Online (AOL) has blacklisted us. : The result, in actual AOL addresses and related fall-out (like : through Netscape addresses, which AOL owns as well) has been a loss : of roughly 3,000 subscribers. But there's a real possibility the : actual damage is closer to 5,000, or possibly even 6,000 subscribers. : On top of that, anyone attempting to sign up with our system using an : AOL or AOL-related address couldn't confirm their registration. That : means they didn't get subscribed to our list at all. : If we can get this problem fixed, we can resubscribe those that we : lost who were already on the list. We still have their addresses. But : the ones that couldn't be confirmed last month, well, they are likely : lost forever. In fact, they probably left thinking we were : incompetent." : : Note this doesn't seem the same thing as what we talked about last month : -- in this case, a legitimate organization has a temporary security : hiccup and, months later, is still blacklisted. : : Obviously AOL has the right to set whatever policies it likes regarding : its mail servers. The question at hand is whether AOL went too far here. : : -Declan : : --- : : http://www.downsizedc.org/blog/2007/feb/05/whipped_by_aol : : NOTE: This blog entry is a supplement to our February 5 : Downsizer-Dispatch message which can be found above (the Dispatch will : be posted after this entry so we can't link to it here). : : In an earlier blog item in November we told you how a hacker attacked a : minor vulnerability in our "Tell-a-friend" mechanism. It was fixed : almost instantly. We won't rehash that story. You can read it for yourself. : : We've been blacklisted by AOL. All we were told was that we had a : "compromised script." We don't know the specific nature of the : compromised script, but the November Tell-a-friend hack was our first : appearance on the AOL blacklist and we've had problems with that company : ever since. We've been in a kind of "off and on" situation with them -- : more off than on -- but it was mostly a minor, occasional annoyance. : Each time that we would end up on the list, we'd wait 24 to 36 hours, : and the problem would go away. : : That ceased to be the case, starting in about mid-January. Now we're : just plain "on" the AOL blacklist, and we're having a very hard time : getting off! : : To make matters worse, due to a technical mistake on AOL's part, no : "trouble ticket" was filed on our problem until Thursday. It took : considerable follow-up just to get that far. And, work order or no, the : problem still isn't corrected. : : AOL has been insistent that we didn't have a reverse DNS address on our : server. Spammers frequently do not have a proper reverse DNS, and having : both a forward and reverse DNS that agree is one way ISPs can ensure : that there's no email forgery going on. : : The problem was, AOL was wrong. We've had a reverse DNS all along. And : our server sits on U.S. soil. It didn't require rocket science for AOL : to find our reverse DNS, but find it they could not. So they claim. : : Worse still, it took repeated attempts to actually get to the point : where we knew that AOL's supposed problem was that we supposedly didn't : have a reverse DNS. Then, our programmer had one of those conversations : that goes like this: : : AOL: We can't help you because you don't have a reverse DNS. : DownsizeDC: We've got a reverse DNS. : AOL: We show that you don't have a reverse DNS. : DownsizeDC: Really, we've got one. : AOL: We can't do anything to help you until you have one. : DownsizeDC: It's been there all along. : AOL: Well, we'll try to find it. But until then, we can't do anything. : : We were really in an "Alice in Wonderland" situation. It seemed like we : couldn't get a "trouble ticket" issued for an allegedly "compromised : script," because AOL said we didn't have a reverse DNS, even though we : did have a reverse DNS. It was like trying to convince someone they have : an elephant in their living room when they won't even turn around to : look where the elephant is standing. : : All we could do was ask them to please notice that we really did have a : reverse DNS after all, and then wait. And wait, and wait. As follow-up : our programmer sent 2 messages to their DNS department, but got no reply. : : We didn't know they had finally found our reverse DNS until our : programmer called their postmaster again this past Thursday. : : But it still required that call to get our trouble ticket filed so the : appropriate staff would remove us from the blacklist. They may have : found the reverse DNS the day before, but that didn't mean our work : order was filed. We were told it would take one or two business days to : correct. : : As of today (Monday) we're being told at least 24 more hours. Given the : delays up to this point, who knows if that's accurate? : : It's worthwhile to note that we've applied for the AOL white list three : times and each time we were rejected. We just learned that we must have : 30 days of clean mailing history. As you can tell, since November 13, : we've not qualified. : : On top of that, after this most recent blacklisting, our programmer set : up a "feedback loop" with AOL. That's a recommended procedure. However, : another ISP manager we spoke to said he has one of these for his company : as well, but has found it to be "useless." : : So the problem appears to be deeper. We think the reason for that is : that AOL has made a very bad institutional decision and is apparently : incompetent to correct the damage they impose on others. : : Metaphorically speaking, somewhere along the way, someone at AOL decided : that their customers want the mail delivery person to read all of their : mail, sift out the stuff they wouldn't be interested in, and deliver the : rest. Internet Service Providers (ISP -- i.e., like AOL, Earthlink, Road : Runner, Comcast, and our friends at FBS.net) are really just mail : delivery pipelines -- a virtual postal delivery service of sorts, and : all ISPs have different policies about how to deal with spam. AOL's spam : policy is bad. : : I can only imagine the howls of consternation if the U.S. Postal service : started going through our snail mail the same way AOL does! Imagine not : getting a lot of your mail, and sometimes none of your mail, because the : USPS decides its junk. Well, that's what AOL does a lot of the time. : : Now, I hate spam as much as the next guy. I get roughly 350 spam : messages a day (no joke), and as the CEO of an upstart non-profit I : don't have any money to invest in a hot trade, a rare ground-floor : opportunity, or a precious commodity. Plus, my penis works just fine, : thank you very much. It's nice to have my ISP sorting some of this junk : out of the mix, but AOL's approach to this problem is ham-handed. : : I've talked with an ISP manager who explained to me that a spam : filtering program is a must if an ISP wants to be competitive in today's : market, but how an ISP provides this service is really important. : : Here's a way to think about it: Our justice system is built on the : presumption of innocence. Theoretically, we'd rather let nine guilty men : go free than unjustly convict and punish one innocent man. Not all : governments work this way, but we're all grateful that ours does (at : least in principle). : : Similarly, not all ISPs work on the presumption of innocence. Some do. : The ISP manager I spoke about above says that his company grabs "obvious : spam," but if there's any question, they let it through so the customer : can decide. That way, his customers don't miss email they want or need. : His company presumes that email sent by a list owner is innocent until : it is proven guilty. This approach reduces the spam volume : significantly, but not completely. This approach also makes it more : likely that customers will get nearly all of the email they actually : want to receive. : : But in AOL's world, email from a list manager is presumed guilty of : being spam for the slightest of reasons. If AOL gets so much as one : complaint, AOL assumes guilt and renders a death sentence. : : AOL doesn't want the inconvenience of even a single spam complaint (like : it's their fault). And if AOL customers don't get the email they want, : frequently they don't even realize it. This policy probably keeps AOL's : call center and postmaster less busy, and AOL customers may even brag to : others about how little spam they get, which is good word-of-mouth : advertising for the company. : : But I can pretty much guarantee you that AOL customers are also not : getting a lot of email they actually want, including the Downsizer-Dispatch. : : Frankly, I think AOL should be fed to Darwin's machine. They need to : adapt or perish. This is a terrible and costly business decision AOL has : made. It's cost us a lot, and it should cost AOL too. I've never taken a : public position about the existence of a company before, but if AOL : cannot fix this problem, then I look forward to the day they fold. I may : even dance a jig when it happens. : : The way we can make AOL bear the cost for their stupid policy to tell : OUR customers how AOL is handling their email. And that will be our next : step. : : Other action is also being considered. : ________________________________________ _______ : Politech mailing list : Archived at http://www.politechbot.com/ : Moderated by Declan McCullagh (http://www.mccullagh.org/) :
