Friday, May 27, 2011

Spam and Security: Changes to Pobox Outbound Mail

You can use Pobox to send your mail, by setting up your email program to send messages through smtp.pobox.com. If you use smtp.pobox.com, I wanted to make you aware of a recent change.

When you run an email service, you are constantly doing battle against spam. There's the spam that people try to send to Pobox accounts. And then, there's the spam people try to send FROM Pobox accounts.

The Pobox SMTP server has always filtered mail from trial accounts, as spammers and phishers love to try to take advantage of the reputations of legitimate email providers. Of late, though, we've seen an increased number of active, paid Pobox accounts being abused by spammers. (So you don't worry, "increased" here means from a couple a year, to a handful a month. Hardly a rash.) Whether it's caused by a virus getting installed on their computer or a phisher stealing their password, a compromised account can quickly send enough spam to cause a problem.

As such, we have recently changed the policies for mail sent through smtp.pobox.com. All outbound messages are now being checked by Cloudmark, which looks for "signatures" (URLs, phone numbers, email addresses, domain names, unique phrases, etc.) found in messages that have already been reported to them as spam. Accounts that have several messages flagged by Cloudmark in a day have their SMTP privileges automatically suspended.

This change is for your protection, as well as the protection of all customers who send mail from the SMTP server. Even a small number of spam complaints can adversely affect our ability to get the messages you send delivered to your correspondents' Inbox. And the accounts actually compromised by spammers could see their email address's reputation severely maligned.

However, Cloudmark, like all spam filters, is never 100% accurate. If you send a couple of messages misidentified as spam, your account shouldn't be affected. But, if more than a handful of your messages are misidentified as spam, you may see your SMTP privileges temporarily suspended. You'll be notified via email, and copy of the message will be sent to Pobox Customer Service for their review, and we will reinstate accounts that have been incorrectly deactivated.  But, feel free to email us if you think the situation warrants an explanation.

Because this change can cause your SMTP privileges to get suspended, I will take this opportunity to remind you that the SMTP server is never to be used to send bulk messages. If you are CCing enough people, even a single message identified as spam is sufficient to get your SMTP privileges suspended.  If you have a CC list that you regularly send mail (and it's more than a few people), we strongly encourage you to set up a mailing list.

16 comments:

  1. Will we be notified if “we send a couple of messages misidentified as spam”?

    ReplyDelete
  2. Flash: Yes, you'll get an email notifying you, too. Someone else already asked about this, so I modified the post to indicate it.

    ReplyDelete
  3. The link at the very end of this post (re: mailing lists) isn't working.

    ReplyDelete
  4. Doug: Hmm, the link worked for me... took me to http://helpspot.pobox.com/index.php?pg=kb.page&id=78

    If that didn't happen for you, can you shoot an email to pobox@pobox saying what did?

    ReplyDelete
  5. Here's the correct link: http://www.pobox.com/helpspot/index.php?pg=kb.page&id=78

    ReplyDelete
  6. RHPT: Oops, I forgot that was an in-house URL. Thanks for the correction; I've fixed it in the post. And Doug, thanks for reporting it in the first place.

    ReplyDelete
  7. Thank you for this alert. Appreciated!

    ReplyDelete
  8. I think it's positive that you guys are trying to solve that problem, but cloudmark is by far the condition wich catches more false-positives on my account. I don't know today, because I can't find the link that generates the "Spam Statistics Report", but in 2007 cloudmark had a false positive rate of nearly 8% in my account and I don't think it changed.

    So, if I do understand your post, from now on I can send a email (and I just send legitimate emails as the majority of Pobox.com users probably also do) and that email can be blocked and not reach its destination because a tool with a high rate of false positives "think" that my legitimate email is spam.

    Do I get it right? Are you putting that great uncertainty on the delivery of my messages?

    I think that you need urgently to review that decision.

    ReplyDelete
  9. Having to use an external mailing list is infeasible form me for a couple of reasons. First, I am on the Board of Directors of 3 nonprofits and participate on a bunch of committees for several organizations. It is not unusual for me to send out 5 emails a day with anywhere from 6 to 30 CCs which are part of a discussion. The mail list approach will not work with these email lists because they are not controlled by me. Second, to use an external email list requires that I update changed email address in two places, a real pain in the neck.

    I suggest a better solution. Only filter for known spam content, hold it and then give us the option to "release" it. That should capture most of the abuse without reducing the utility for us PAID customers.

    Please remember the PAID part of out relationship and fix this.

    ReplyDelete
  10. Gustavo: We do not hold messages. If you send multiple messages that are identified as spam, your ability to send mail will be suspended (and you will be notified of such.) A copy is sent to Customer Service so they can also check to see if it was a false positive. A single message will never be enough to suspend mail service.

    Tom: Unfortunately, spammers have taken to paying for accounts, too, so any policy has to start from the assumption that malicious parties are willing to pay for accounts, then use them to send spam. This precludes us considering a system where the sender could deem outgoing messages identified as spam as "not spam".

    ReplyDelete
  11. I've been with you guys since 1995. This is a huge inconvenience. I can't send emails now. You are really playing with fire.

    ReplyDelete
  12. Geewhiz, I've been with Pobox since 1996 and I would say that this is NOT an inconvenience if you are not sending spam. Just make sure you are not sending spam. What's the big deal about NOT sending actual spam? Just be sure you don't write your emails to be so spammy to be flagged. Anyways, if you are getting upset, then think about this: If your email gets through cloudmark when they are sent, then the chances are that your email may not be flagged as spam when they are received by the intended recipient of your email. So don't send spam. Anyways, if your email is inadvertently flagged as spam, then you should be happy that Pobox will at least have a real HUMAN double-checking any pobox customer's smtp-sent email that is flagged as spam.

    If you are doing some sort of marketing for a business, then you really should SEND your marketing email via some other service.

    If you are only doing personal email, and if you are upset about this, then go use another SMTP that will allow you to use your pobox address as a sending address. For instance, for my own convenience, i use a paid yahoo premium email account (only $20 a year) that is set up where my pobox address is my default address for sending email. But i try to use the pobox smtp on my email client software most of the time.

    The people who don't like change are the ones complaining about this. Change like this is good when you consider the world that we live in today. Better for Pobox to get a hold of a problem like this now before it becomes much worse. Otherwise, if no change is made, then what could happen is that Pobox addresses could get labeled as spam addresses and none of your email that you send would get through at all.

    Be thankful that Pobox actually publicly announced this change. Pobox could have been like other email companies that don't say anything and you don't even know if you email was even sent. At least you know about the change and therefore you can adjust how you do your email if your email could be interpreted to be at least a bit borderline spammy.

    Whatever you do, if you are really sending spam, then shame on you and you should not be using Pobox.

    ReplyDelete
  13. I don't send spam, so as long as I am alerted to the catch and have a chance to re-send heer or some other way, I'm all for this. Spammers are terrible criminals.

    ReplyDelete
  14. The link at the end of the article is still not working. Please fix.

    (It contains "&" in place of "&" and an extra space at the end.)
    "http://www.pobox.com/helpspot/index.php?pg=kb.page&id=78%20"

    Thanks.

    ReplyDelete
  15. That is, it contains "&" in place of &. (HTML converted what I wrote.)

    ReplyDelete