A conversation with AOL's Charles Stiles
Spam is a never-ending problem. Overall spam levels in August 2007 increased to an average of 69% of total e-mail, according to the September issue of Symantec's monthly spam report. It seems that no sooner does a spam-blocking firm or ISP identify and stop a spam phenomenon than a new one pops up. DMNews spoke with AOL postmaster Charles Stiles about the state of spam, the lingering challenges and what this means to legitimate e-mail marketers.
DM News: What are the biggest spam problems you've seen in recent months and what are you doing to track them?
Charles Stiles: As of late, we are seeing a lot more criminal-type behavior. The flavor of the day right now is people taking advantage of individuals' home computers. They are using botnets, which take over home computers to send out spam. There is that type of activity, and then there is registering fraudulent accounts, and that's really what it comes down to. It's no longer legitimate marketers using bad practices. It's really about criminal activity now.
DM News: How do you deal with this huge problem of botnets, especially when sometimes one can fall onto a computer and only be active for an hour before erasing itself?
CS: One of the things that we do is we try and figure out how these machines are connecting to us. Typically they are coming through and sending stuff out on Port 25, that's the standard mail port. So AOL doesn't use the same standard mail port. Instead we require people to authenticate. You can't just send e-mail off of our mail servers when you are connected. You have to actually provide a user name and password. Now with our clients, it's done in the background, you don't see it, and with Outlook or other third-party clients, you can configure it. But we do require user name and password so that not just anybody can connect.
We also track how much mail each account is sending, whether you are using our client or whether you are using a third-party mail client. This is not so much to make sure that you don't send too much mail, but we look at your pattern of sending. If you only sent five or 10 messages a day on average and suddenly you just sent out 500, that's certainly outside of your normal pattern - very similar to what a credit card issuer might do - in which case we would challenge you. And we wouldn't necessarily just block you, but we would offer you a challenge to say, "Is this a real human behind this? Is she sending us a message and this is just outside of her norm?"
We would also use what you call a capture test or the image challenge test. So long as you passed it, you are fine to go ahead and continue sending. If you don't, then we will probably scramble your password and say OK, we're just not going to allow you to connect to the servers anymore. Then there's an online process whereby you can get it unscrambled, but you again have to pass that capture test, just to make sure that it is a human that is behind the keyboard.
DM News: So how are spammers getting more sophisticated, and what is going on with image spam?
CS: Spammers have started using images as opposed to just text on a lot of these messages, because they have found that the text is easily deciphered by most of our filters and engines. So instead they'll put together a picture that contains all the text that they would need for their spam message. But because sending the same picture over and over would be easily detected, they change it and put static in it or additional elements so that it is very difficult to track.
DM News: And what are some of the things that you are doing to track image spam? Is it also part of the authentication and login process?
CS: We're going to have the authentication and the login process, that's a big part of it. We're also going to, like I said, limit the number of ports that can be used. But when those messages are coming in from the Internet, then we have to look at other characteristics of the message. Primarily, what we are looking at right now is the source of the message, which allows us to determine whether this is somebody we would normally be doing business with. Is this somebody that would normally be sending a million messages like this? If not, then we try to put them on a slow track and identify what's coming in. Is this a legitimate message or not, and if not, then we just simply issue a block. And we advise the sender that we have blocked their message. And if they feel that it's an error, they need to contact us.
DM News: A few years ago, the industry recommended not using images in e-mail, being mindful of the subject line, things like that. Is this obsolete now that we have more sophisticated technologies that allow you to look at the authentication process and better understand where mail is coming from? Do these things still matter? Are subject lines still filtered?
CS: Actually, we don't do a whole lot of filtering on the subject line. The most effective filtering goes on right at the consumer inbox, and typically that does come from the subject line and the "from" address. Consumers play a huge role in determining what is and what is not spam on the AOL system. But also for their own inbox, anything that is delivered, certainly they have that opportunity to say, "You know what, I think that this is spam, I am not going to trust it." Or they are going to trust it, and that's why we always err on the side of caution to make sure that the message does get delivered.
DM News: If a consumer receives a message that he doesn't want, but it is something that he's opted in for, is it bordering on spam? How can marketers and consumers bridge this gap?
CS: I think that that's a very dangerous area for us to play in, in determining what is or is not spam. Whether that example is criminally spam, I would say no, it is not. However, what our consumers tell us is spam - whether they have opt-ed in for it or not - that's what we've got to filter. Because our consumers are essentially asking us, "Please don't deliver this message to me." Even if a marketer did have express written consent from the consumer saying he wanted the message, if they had copies of his driver's license, knew his address, his telephone number, blood type, if at the end of the day, the consumer says, "I don't want it," then we want the mailer to stop mailing it to them.
DM News: So what should a marketer do? How does a company find out that a consumer doesn't want a message if he's already opted in?
CS: One of the ways we do that is with our "report spam" button. And we provide those reports back to the mailer to let them know that, for whatever reason, this consumer doesn't want it. We don't require the mailer to remove that person from the list, and we don't say that you are guilty of spamming because a consumer clicked "report spam." But instead, we tell the marketer that consumers are telling us they don't want your message, they consider it to be spam, so please act accordingly. And I can tell you that in almost every single circumstance, a legitimate mailer will say, "Absolutely, if they don't want my mailing, I'll take them off the list." Because it doesn't do them any good if somebody is not even going to pay attention and, in fact, has a bad taste in his mouth as a result.
DM News: So how does the spam issue in general affect legitimate marketers? Does it affect them?
CS: I believe it does. I think that the more we have spam out there, the more it makes e-mail an illegitimate means of communicating, or it certainly affects the ability of a legitimate marketer to deliver its message in the intended way. Because at the end of the day, the goal is to have marketers send messages that consumers want. At the end of the day, it really becomes a lot less about permission, and more about what consumers are asking for. And if all marketers did that, then we wouldn't be in this situation.
DM News: So what are your expectations for the spam situation? Will marketers that don't authenticate still get delivered?
CS: I think that authentication is going to have a really big role in delivery in the very near future. I don't see us as immediately having a hard fail or a hard pass for authentication, because it's merely a means of saying, "This is my ID, this is who I am." It doesn't say anything about your reputation, and that is a completely different ball of wax. But it will allow us to attribute that reputation according to the mailer's actual mailing history and how it sends mail and what consumers think of it. I think that as authentication is more widely adopted and becomes more integrated with reputation systems, legitimate marketers are going to find that they are able to take advantage of that good reputation that they've worked so hard on, and that they are going to continue to see very good delivery rates - perhaps even better delivery rates - than they have in the past. But at the same time, I think that spammers that take advantage of consumers and take advantage of all the little loopholes and tricks and tactics and criminal activity that they use to get the messages delivered, they are going to find themselves hard pressed to get anything through, because they are going to be held accountable for their reputation.