By Joris Evers
Friday, April 28 2006 11:33 AM
URL: http://www.zdnetasia.com/insight/security/0,39044829,39355223,00.htm

About a year ago, Publishers Clearing House set out to make sure its e-mail reputation was squeaky-clean.

The company, known for its sweepstakes and magazine subscription promos, stepped up its efforts to be a good e-mail citizen, and to make sure it didn't send out unwanted messages. It developed its own tools. It hired outside consultants. It signed up two full-time employees to oversee all of its e-mail delivery.

Quite an investment of time and money--but worth it, if it meant the company, which relies on mail to do business, avoided having its messages junked by spam filters.

"It has become more of a challenge to send e-mail," Sal Tripi, the director of operations at Port Washington, N.Y.-based Publishers Clearing House, said in an interview. "Because the ISPs are taking certain actions to catch illegitimate mailers, legitimate mailers have to take action to make sure that they are not caught in the same net."

In reputation-based filtering, senders are graded on their practices and assigned a reputation score based on several variables, such as complaint rates, volume of mail sent and response to unsubscribe requests. It's one of the latest techniques used to combat the problem of spam, which makes up more than 80 percent of all messages sent today, according to e-mail security service Postini.

What makes a reputation?

These factors are typically used by antispam filters to tag offenders.

• The number of complaints, often generated by recipients flagging the e-mail as spam.
• The percentage of mail sent to nonexistent e-mail addresses.
• The frequency with which mail hits spam traps (e-mail accounts set up to monitor spam).
• Unsubscribe performance. How quickly is a recipient unsubscribed or are such requests ignored?
• Sending infrastructure. Spammers tend to have poor sending infrastructure, often stealing resources.
• Volume--how frequently and how much mail is sent.

Source: ReturnPath

Also in response to spam, e-mail service providers are aggressively filtering messages to keep the medium useful for their customers. That, allied to the reputation push, is putting a burden on companies to meet the requirements of those providers. If they don't, they risk a slur on their character--and a subsequent ding to their business.

"It is a consistent and ever-changing business challenge to keep abreast of changing ISPs, policies and filtering," said Heather Soule, a representative of online invitation service Evite. "We adhere to the policies that most spam filters recognize, like proper formatting, and test through Habeas to ensure that the e-mails are delivered to our users' in-boxes and not junk/spam or bulk boxes. It is a laborious, constant challenge."

As a result, e-mail is no longer an easy and cheap way to get messages out to a large number of people, but one that needs careful management.

The score
Habeas, a Mountain View, Calif. Company, is a reputation-filtering service that also offers to help companies fix their e-mail reputation--for a price. Companies such as WalMart.com, Staples, Vanguard, Geico and Tickets.com have hired its services, Habeas said. One rival, which also specializes in getting mail delivered to the in-box, not the junk mail folder, is New York-based ReturnPath.

"E-mail is everything but free. Nothing good can remain free," Habeas CEO Des Cahill said. "Just like everyone spends money on search engine optimization, e-mail reputation and delivery is fast emerging as an industry."

Industry experts liken an e-mail reputation to a driving record or a credit score. With a bad driving record, you pay more in insurance premiums. With a low credit score, you don't get good rates on loans. If your e-mail reputation is bad, your mail gets junked.

"We monitor our reputation on a daily basis," Tripi, of Publishers Clearing House, said. "We like to make sure that our reputation remains clean, but it is a big effort."

But if you have a credit score problem, you really only need to hit the three agencies that maintain those records. It's a lot tougher for businesses that want to set their e-mail reputation straight: Hundreds of places compute e-mail reputations, and they may all do it

People do it with the mouse...

in a different way.

"E-mail senders have not been able to see or touch their reputation," Habeas's Cahill said. "The actual reputation data is distributed among hundreds of antispam vendors and ISPs."

It would be easier if there was a central database of good mailers as opposed to bad mailers, Tripi noted. However, if one Internet service provider delivers a company's mail, others will likely deliver it too, since practices are similar, he said.

"If your business is based on best practices, and your customers are treated appropriately, the ISPs want to deliver that mail," Tripi said. "They are not going to hold back good mail from their customers if they are confident that the businesses sending that mail are doing the right things."

There is some uniformity in establishing e-mail reputation scores, said George Bilbrey, general manager at ReturnPath. Typically, the score is based on six factors: complaints, percentage of mail sent to nonexistent addresses, number of mail hitting spam traps, response to unsubscribe requests, sending infrastructure and mail volume, he said.

The reputation will be attached to the sender's domain or IP address. Reputation systems may weigh the components differently, depending on their place in the e-mail chain. A spam-filtering appliance or hosted service may give more weight to e-mail volume and patterns, while for an e-mail service provider, the customer complaint rate might be most important.

"Users are voting with their mouse on reputation," said Craig Spiezle, a director at Microsoft, which operates the Hotmail Web e-mail service. "We think that is the best way. It is really in the eyes of the in-box user what is relevant."

But some are troubled by the notion that something set by others--their reputation--can be decisive in whether their e-mail gets delivered. Nicole Hampton, a station production manager at Cox Radio Interactive, worries about the business's reputation being hurt by miscreants abusing Web site mailing features, for example, she said.

Zombies, or computers controlled by outside hackers, pose another threat. An organization could have its systems commandeered and used to send out spam e-mail. This ultimately could affect a company's legitimate e-mail, which may end up being blocked by spam filters, noted Michael Osterman, the head of Osterman Research, which focuses on Internet messaging.

"Reputation filtering is an important component of overall messaging management, but it needs to be combined with other tools to fully protect a network," he said.

Such a hijack of a company's e-mail system is possible, but it probably wouldn't hurt its reputation immediately, Spiezle said, noting that a reputation is established over time.

Checking up
For companies curious about their e-mail reputation, Habeas and ReturnPath both plan to launch online services that will give them some insight into it. Beyond that, Habeas charges US$2,500 for a more in-depth diagnosis, and ReturnPath consultants can be hired for US$5,000 a month to work with a business and make sure its mail is delivered.

Spam-filtering specialist CipherTrust already offers a Web site, called TrustedSource, that gives some details about its reputation-ranking system. In addition, large e-mail service providers, such as Hotmail, provide a "feedback loop," which lets message senders see the opinion recipients have of them.

One thing that e-mail service providers are looking at is whether it makes sense to share reputation data among ISPs, Microsoft's Spiezle said. Ultimately, he said, providers such as AOL, Yahoo and Microsoft are going to make decisions based on what their users tell them. But pooling information could make reputation data more reliable.

"Sharing best practices and sharing reputation data among major ISPs is some of the discussion that is going on today," Spiezle said.