Log in

No account? Create an account

My take on Goodmail

Imagine this: your ISP has spent years setting up email filtering to help combat spam, phishing and fraud. It works most of the time, and you're happy to keep paying your $8/month for that email box sitting out there (for example, my Goldweb account has been around for over a decade, thankyou Goldweb).

Then one day, your ISP starts using Goodmail.

Goodmail is a service which certifies particular senders as being "Goodmail certified" - either they have met a list of requirement for being whitelisted, or they have paid a quarter of a cent (US currency) to have the message delivered.

Once a message arrives at the ISP, if it is "Goodmail certified" it gets straight into your Inbox without being scanned for viruses, spam, phishing or fraud. That's the contractual agreement that your ISP has with Goodmail. In return for direct delivery without filtering, the ISP gets up to 50% of the certification fee.

I'm already paying $8/month for my email account. I expect mail to get delivered, and I've configured the spam filter on my ISP's end to "tag and deliver" all spam (ie: it adds a tag saying the ISPs filter thinks it's spam, but then delivers it to my mailbox anyway). This way a false positive won't cost me a mail from someone who doesn't write to me regularly enough to make it to my whitelist.

However, after Goodmail, what happens if the ISP decides to take away the option to "tag and deliver"?

That's right... all those messages previously delivered to my mailbox that were accidentally marked as "spam" will be diverted to a "Spam" mailbox, which I would have to go through to extract the ham. In the meantime, the economic incentive is for the ISP to become more aggressive about tagging messages as "spam" in order to encourage senders to pay the Goodmail fee to have mail delivered to my Inbox.

Who will pay that fee? None of my friends, that's for sure. None of the mailing lists I subscribe to (Samba, CLUG, Locomotive, Postfix) have the money for that (at $1000 a month? you're kidding, right?)

No, the only people I know who will be paying the fee are the ones who expect the return on investment to be worthwhile. That means people who expect to make (on average) more than a quarter of a cent per message sent out. Imagine, for example, that a phishing attack cons 1 in 100 people. That one catch might be worth $1000, which pays for the next 50000 phishing attacks. Significant return on investment there - especially since having the Goodmail certification on the message is used by the ISP to mark that message as somehow "special" and more trustworthy (eg: AOL uses a blue ribbon to mark the message as "certified" - which must mean trusted, right?)

Goodmail, in my opinion, is only going to increase the hit rate for phishing scams. Phishing relies on confidence tricks, and what better confidence trick than having the ISP push a message into your Inbox past all the spam filtering that you've come to trust, and even worse they mark the message as specially certified... so the ISP becomes an accessory in the confidence trick. The phishers pay their quarter of a cent per message, and reap the harvest - a return on investment of over a thousand percent just because one person in a thousand fell for the scam.

Neither am I going to enjoy having my email held hostage. I'm already paying for my email service, so that you can send a mail from the email service that you are paying for, without extra charges, to my email service. I'm not going to pay more to a company running a protection racket. "Hey, that's a pretty important looking email you have there. It'd be a shame if it went missing, you know what I mean?"

Can you imagine the situation there? The economic incentive is for ISPs to encourage me to pay for Goodmail. Thus the economic incentive (with no legislative counter) is for them to deliberately delay or "misplace" my email so they can extract their eigth-of-a-cent fee from me (and since the mechanism for doing so is automated, the incremental cost to them of this racket is zero).

The worst bit about Goodmail is that I cannot choose whether or not my messages are going to be mismanaged by Goodmail. The contract is between individual ISPs and Goodmail, so if I have 100 friend I regularly communicate with, there are 100 people I'll have to convince to switch ISPs in order to escape Goodmail's protection racket.

Now Goodmail might counter by saying that there is some magical code of conduct or set of ethics that ISPs must conform to in order to continue using the service. Who is policing that? Is it enforceable? Remember that the only rule in business ethics is "maximise profit using every means available that is not illegal." After all, if you're not doing those questionable things which maximise profit while pushing the envelope of legality, you're losing ground to your competitors who do. The economic incentive to companies subscribed to the Goodmail service is to accept the 50% share of the certification fee, push Goodmail certified mail past the filters directly into the Inbox, and then let the spam filters get worse and worse at falsely tagging messages as spam (and thus convincing many more senders that they need to use Goodmail to ensure that their message gets delivered).

IMHO, just say "no" to Goodmail. Not because I have some opinion about the Goodmail company, but because I can't see how the economic incentives to the ISP to mistreat my email are going to make life easier for me.

So... is there a counter argument?

Here is Goodmail's list of qualifications for people intending to use the Goodmail service:

  1. Only permission-based messages to existing members or customers is allowed; no prospecting, member acquisition campaigns, or any form of unsolicited email will be permitted
  2. Senders must maintain very low compliant rates as judged by CertifiedEmail partner mailbox providers. Senders accepted for CertifiedEmail accreditation whose complaint rates rise above acceptable low thresholds will be placed on probation or, if the problem is not repaired, excluded from the program.
  3. Be a commercial or non-profit entity with a private domain name.
  4. Have established policies regarding opt-in strategies, unsubscription timeframes, use of suppression lists, etc. CertifiedEmail is strictly for senders with the best email practices.
  5. Have one year of business history, as verified by a commercial identity verification service.
  6. Have business headquarters located in the United States, Canada, or the United Kingdom.
  7. If a non-profit organization, verify non-profit status as a 501(c)(3).
  8. Have at least six months' history using a dedicated IP address to send messages.
  9. Have a prior complaint threshold within the bounds established by Goodmail and partner ISPs.
  10. Be able to comply with Goodmail's Acceptable Use and Security Policy.

Point 1 basically means that if I didn't expect the mail in the first place, it shouldn't arrive through Goodmail. How is that policed? How do I make a complaint about a Goodmail certified message? There is no mention of a complaints process on the Goodmail site. There is no button in the interface screenshots to allow me to mark a Goodmail certified message as unsolicited.

Point 4 means that any commercial entity (you can only use Goodmail if you are a commercial entity - ie: a registered, active business, non-profit or otherwise) can send Goodmail certified messages if they have "a policy". Does Goodmail purport to audit these policies?

Points 8 and 9 give me some hope that I won't be getting Goodmail certified UBE from hit and run spammers. I will likely be getting more UBE from established commercial ventures, such as mail order companies looking to hawk their wears, or companies with a USA HQ but a mail server in Russia.

Remember, the strength of any system is not determined by its strong points, but but its weaknesses. How can the spammers exploit Goodmail to maximise their return on investment? Easy - make sure that the cost of any advertising campaign is lower than the income the campaign will generate. If it costs $2k to run a campaign (setting up a shelf company to send out boring emails to the same people for 6 months, then burn up all credibility in a massive advertising campaign targetting 10M people) that earns $100k in sales... is that worth it?

But this all comes back to one argument: will the extra credibility granted by Goodmail certification increase the return on investment of phishing or fraud campaigns?