Bonded Sender should work

There are a lot of anti-spam solutions out there, and a bothersome number of outspoken anti-spam zealots. I’m not outspoken, but I do hate spam. I use SpamAssassin to crush much of it, but for me, a huge worry is “false positives”. To me, IronPort’s Bonded Sender program is a good solution to the problem of losing solicited commercial email.

Read on to find out why.

Spam, or the more descriptive name “unsolicited commercial email” (UCE) sucks. I’ve been on the Internet for a decade in various forms, and have had some of my email addresses for over 6 years (I was the first guy on my block to have a “vanity domain”). As a participant in OSS, my name is all over the darn place in everything from list archives to CVS commit messages. So, spammers definitely know how to find me. It’s an unavoidable hazard of participating visibly in the internet community.

I also use the internet for all sorts more mundane things. I buy books. I buy music. I buy plane tickets. I even buy food (well, tea). I furiously participate in the commercial side of the internet to make my life cheaper and more convenient. Frankly, I love it. Commerce is the driving force these days behind the internet. Without it, it goes back to a bunch of scientists and warez dorks.

But I have a problem: I love commerce on the internet and hate spam. I use tools to keep spam away, but I really need to get legitimate commercial email about transactions I’m participating in. Losing messages like that may cost me real money. How do I avoid such lossage?

One answer that impresses me is Bonded Sender. I found out of it primarily because my roommate’s girlfriend is part of running it. I looked at it, was initially turned off, and then reconsidered. Why? Well, that’s what I hope to explain.

First of all, Bonded Sender (I’m going to resist the urge to appreviate to “BS”, as that is counterproductive to my argument) isn’t a spam solution. Not at all, and it doesn’t claim to be. It will have absolutely zero effect on the volume of spam you receive. It is a whitelist, and is intended to deal with the email I mentioned above: legitimate/solicited commercial email. This is the stuff you want/need to get: things like professional newsletters, sale notifications, product offerings, and receipts from companies you deal with. I get a couple of newletters from Amazon.com because I have chosen to, and I want to see them so I can keep up on new products. They aren’t spam, although they may superficially appear similar with URLs, “remove” links (that work), and likely a few too many exclamation points thanks to an over-zealous young marketing exec. I want them in my Inbox so I can read them.

So how does Bonded Sender help with this? To state over-simply: audits. They audit the practices of a commercial email sender. They make sure of things like working unsubscription methods, legality of acquired addresses, and adherance to privacy standards. They also investigate complaints and do ongoing checks. In short, they make sure people who are participants of the program are playing fair. Then, via marginally-clever DNS trickery, they let other email servers know. They do the electronic equivalent of saying, “We checked this guy out. He’s alright.”

Like I said, initially I wasn’t impressed. Why would I trust these guys at IronPort? Well, I then realized that this is a completely old and boring model applied to the internet. It’s an effective model that most people are familiar with, understand, and use. The term for it is “trusted third party”. Almost everyone will encounter a trusted third party at some point in their life. A notary is one for official documents. A lawyer is one when she acts as executor of a will. Your buddy is one when he holds the money while you and another friend act out a drunken bet involving hammers. It’s not a new model.

It works because IronPort tells everybody what the rules of engagement are. How they can participate in conversation (including nods to CAN-SPAM and other legistlation). IronPort is essentially impartial because they don’t stand to gain if you successfully communicate. They only stand to lose if you don’t. If their role as a trusted third party isn’t validated, they lose reputation and nobody uses them. Then they don’t make money. Then they close down.

Most will immediately argue that IronPort cannot be trusted. Look at their web page. They sell mail servers for goodness sake! Doesn’t that create a conflict of interest? I have to say “no” for a few reasons. First, I’ve seen that IronPort is for real. My friend has come over at the end of a very hard day, having been yelled at by an IronPort hardware customer who she nixed from the Bonded Sender program for violations. He screamed because he believed buying IronPort servers meant he was more likely to be approved for the program. It doesn’t.

Second, it comes down to economics and community. IronPort is in the thick of the email/spam world. Their properties include SpamCop, an anti-spam solution that has built a lively community around it. It includes Bonded Sender. It includes the server hardware and software. They have to get all these things right to stay in the game because the game is based on trust. If they betray that trust, two of their properties lose all viability. Then they’re just selling mail servers (and hardware isn’t a great place to be). An company that purports to be helping with the spam problem is nothing without “street cred”. They have to prove in every transaction that they are, indeed, that trusted third party. They seem to understand that fact. And they also understand that if their reputation falters, they fail. Then they have to go to their investors and say “We ran a crooked business and lost our reputation and all your money along with it.”

So, IMHO, Bonded Sender is a good idea. It’s built on a proven model and shored up by community and economic/business pressure. If you’re a company who needs to legitimately reach customers, you should check out the program. If you’re an ISP, learn how to use their query tools for just about every MTA out there. Then go back to enjoying the benefits of legitimate commerce on the internet.