[Politech] Libertarian group "Downsize DC" gets blacklisted by AOL [fs]

From: Declan McCullagh (declan@private)
Date: Mon Feb 05 2007 - 14:38:42 PST


Jim Babka, the president of the Downsize DC Foundation, added this to 
the below blog entry in email today:

"The last couple of weeks have been a nightmare. Why? Because America 
Online (AOL) has blacklisted us.
The result, in actual AOL addresses and related fall-out (like
through Netscape addresses, which AOL owns as well) has been a loss
of roughly 3,000 subscribers. But there's a real possibility the
actual damage is closer to 5,000, or possibly even 6,000 subscribers.
On top of that, anyone attempting to sign up with our system using an
AOL or AOL-related address couldn't confirm their registration. That
means they didn't get subscribed to our list at all.
If we can get this problem fixed, we can resubscribe those that we
lost who were already on the list. We still have their addresses. But
the ones that couldn't be confirmed last month, well, they are likely
lost forever. In fact, they probably left thinking we were
incompetent."

Note this doesn't seem the same thing as what we talked about last month 
-- in this case, a legitimate organization has a temporary security 
hiccup and, months later, is still blacklisted.

Obviously AOL has the right to set whatever policies it likes regarding 
its mail servers. The question at hand is whether AOL went too far here.

-Declan

---

http://www.downsizedc.org/blog/2007/feb/05/whipped_by_aol

NOTE: This blog entry is a supplement to our February 5 
Downsizer-Dispatch message which can be found above (the Dispatch will 
be posted after this entry so we can't link to it here).

In an earlier blog item in November we told you how a hacker attacked a 
minor vulnerability in our "Tell-a-friend" mechanism. It was fixed 
almost instantly. We won't rehash that story. You can read it for yourself.

We've been blacklisted by AOL. All we were told was that we had a 
"compromised script." We don't know the specific nature of the 
compromised script, but the November Tell-a-friend hack was our first 
appearance on the AOL blacklist and we've had problems with that company 
ever since. We've been in a kind of "off and on" situation with them -- 
more off than on -- but it was mostly a minor, occasional annoyance. 
Each time that we would end up on the list, we'd wait 24 to 36 hours, 
and the problem would go away.

That ceased to be the case, starting in about mid-January. Now we're 
just plain "on" the AOL blacklist, and we're having a very hard time 
getting off!

To make matters worse, due to a technical mistake on AOL's part, no 
"trouble ticket" was filed on our problem until Thursday. It took 
considerable follow-up just to get that far. And, work order or no, the 
problem still isn't corrected.

AOL has been insistent that we didn't have a reverse DNS address on our 
server. Spammers frequently do not have a proper reverse DNS, and having 
both a forward and reverse DNS that agree is one way ISPs can ensure 
that there's no email forgery going on.

The problem was, AOL was wrong. We've had a reverse DNS all along. And 
our server sits on U.S. soil. It didn't require rocket science for AOL 
to find our reverse DNS, but find it they could not. So they claim.

Worse still, it took repeated attempts to actually get to the point 
where we knew that AOL's supposed problem was that we supposedly didn't 
have a reverse DNS. Then, our programmer had one of those conversations 
that goes like this:

AOL: We can't help you because you don't have a reverse DNS.
DownsizeDC: We've got a reverse DNS.
AOL: We show that you don't have a reverse DNS.
DownsizeDC: Really, we've got one.
AOL: We can't do anything to help you until you have one.
DownsizeDC: It's been there all along.
AOL: Well, we'll try to find it. But until then, we can't do anything.

We were really in an "Alice in Wonderland" situation. It seemed like we 
couldn't get a "trouble ticket" issued for an allegedly "compromised 
script," because AOL said we didn't have a reverse DNS, even though we 
did have a reverse DNS. It was like trying to convince someone they have 
an elephant in their living room when they won't even turn around to 
look where the elephant is standing.

All we could do was ask them to please notice that we really did have a 
reverse DNS after all, and then wait. And wait, and wait. As follow-up 
our programmer sent 2 messages to their DNS department, but got no reply.

We didn't know they had finally found our reverse DNS until our 
programmer called their postmaster again this past Thursday.

But it still required that call to get our trouble ticket filed so the 
appropriate staff would remove us from the blacklist. They may have 
found the reverse DNS the day before, but that didn't mean our work 
order was filed. We were told it would take one or two business days to 
correct.

As of today (Monday) we're being told at least 24 more hours. Given the 
delays up to this point, who knows if that's accurate?

It's worthwhile to note that we've applied for the AOL white list three 
times and each time we were rejected. We just learned that we must have 
30 days of clean mailing history. As you can tell, since November 13, 
we've not qualified.

On top of that, after this most recent blacklisting, our programmer set 
up a "feedback loop" with AOL. That's a recommended procedure. However, 
another ISP manager we spoke to said he has one of these for his company 
as well, but has found it to be "useless."

So the problem appears to be deeper. We think the reason for that is 
that AOL has made a very bad institutional decision and is apparently 
incompetent to correct the damage they impose on others.

Metaphorically speaking, somewhere along the way, someone at AOL decided 
that their customers want the mail delivery person to read all of their 
mail, sift out the stuff they wouldn't be interested in, and deliver the 
rest. Internet Service Providers (ISP -- i.e., like AOL, Earthlink, Road 
Runner, Comcast, and our friends at FBS.net) are really just mail 
delivery pipelines -- a virtual postal delivery service of sorts, and 
all ISPs have different policies about how to deal with spam. AOL's spam 
policy is bad.

I can only imagine the howls of consternation if the U.S. Postal service 
started going through our snail mail the same way AOL does! Imagine not 
getting a lot of your mail, and sometimes none of your mail, because the 
USPS decides its junk. Well, that's what AOL does a lot of the time.

Now, I hate spam as much as the next guy. I get roughly 350 spam 
messages a day (no joke), and as the CEO of an upstart non-profit I 
don't have any money to invest in a hot trade, a rare ground-floor 
opportunity, or a precious commodity. Plus, my penis works just fine, 
thank you very much. It's nice to have my ISP sorting some of this junk 
out of the mix, but AOL's approach to this problem is ham-handed.

I've talked with an ISP manager who explained to me that a spam 
filtering program is a must if an ISP wants to be competitive in today's 
market, but how an ISP provides this service is really important.

Here's a way to think about it: Our justice system is built on the 
presumption of innocence. Theoretically, we'd rather let nine guilty men 
go free than unjustly convict and punish one innocent man. Not all 
governments work this way, but we're all grateful that ours does (at 
least in principle).

Similarly, not all ISPs work on the presumption of innocence. Some do. 
The ISP manager I spoke about above says that his company grabs "obvious 
spam," but if there's any question, they let it through so the customer 
can decide. That way, his customers don't miss email they want or need. 
His company presumes that email sent by a list owner is innocent until 
it is proven guilty. This approach reduces the spam volume 
significantly, but not completely. This approach also makes it more 
likely that customers will get nearly all of the email they actually 
want to receive.

But in AOL's world, email from a list manager is presumed guilty of 
being spam for the slightest of reasons. If AOL gets so much as one 
complaint, AOL assumes guilt and renders a death sentence.

AOL doesn't want the inconvenience of even a single spam complaint (like 
it's their fault). And if AOL customers don't get the email they want, 
frequently they don't even realize it. This policy probably keeps AOL's 
call center and postmaster less busy, and AOL customers may even brag to 
others about how little spam they get, which is good word-of-mouth 
advertising for the company.

But I can pretty much guarantee you that AOL customers are also not 
getting a lot of email they actually want, including the Downsizer-Dispatch.

Frankly, I think AOL should be fed to Darwin's machine. They need to 
adapt or perish. This is a terrible and costly business decision AOL has 
made. It's cost us a lot, and it should cost AOL too. I've never taken a 
public position about the existence of a company before, but if AOL 
cannot fix this problem, then I look forward to the day they fold. I may 
even dance a jig when it happens.

The way we can make AOL bear the cost for their stupid policy to tell 
OUR customers how AOL is handling their email. And that will be our next 
step.

Other action is also being considered.
_______________________________________________
Politech mailing list
Archived at http://www.politechbot.com/
Moderated by Declan McCullagh (http://www.mccullagh.org/)



This archive was generated by hypermail 2.1.3 : Mon Feb 05 2007 - 14:58:15 PST