The BondedSender Program (BSP) con.

I don’t know how this happened, but for some reason the antispam community seem to have walked right into quicksand. Why?   Well, consider this: If you existed to come up with ways to stop spam, you would think that implementing a way to establish trust relationships with sender would guarantee* that they wouldn’t send you spam.

* – No there are no guarantees.

Well recently a configuration option within SpamAssassin caused me alarm since it was occurring more frequently in spams that were getting through to me. Looking into the RCVD_IN_BSP_TRUSTED score I found that spamassassin gave it a -4.3 weighting which unless the email is particularly spammy, it means the net score for that email will result it it being classified as non-spam.  Trouble is – this is spam, so why is spamassassin being so nice to it?

Looking it up, I ended up at The Bonded Sender Program .org (this is the Internet friendly face) which "turns the spam problem upside down by identifying legitimate email traffic".  Oh?  Further reading shows that the BSP has a corporate side that companies pay the BSP (read: IronPort, who also happen to own and run SpamCop) so their emails get positively flagged as non-spam.

Am I the only one spotting the delicious conflict of interest?
1. Spamassassin catches spam
2. Users report spam to SpamCop
3. SpamCop blocks spammer.
4. Spammer has less success because their servers are blacklisted

Now SpamCop, aka IronPort, aka BSP goes to spammer "Pay us a wodge of cash and we can make sure a) you don’t get flagged as spam, and b) your servers can’t get blacklisted". Sounds like a sweet deal.  Why wouldn’t any spammer go for it?

In any other industry this would be blackmail. e.g. Mafia: "Pay us your insurance so you can be sure you or your shop doesn’t meet with an unfortunate accident".

Now the BSP apparently takes abuse of their system very seriously.  I beg to differ.   I reported an instance of abuse, to which the initial reply sounded positive, but that same customer is still spamming away.  I shall post some example spams that BSP claim isn’t spam as comments.

So, anyone reading this.  If you use Spamassassin, add this to your user_prefs:
score RCVD_IN_BSP_OTHER 0
score RCVD_IN_BSP_TRUSTED 0

Companies or Email senders – if you hit this page whilst researching about using the BSP, then please don’t.  It is a dirty way to get your message across – if anything it will make people like myself even more vehemently outspoken against you and your products.

BSP/SpamCop/IronPort – if you want to regain some credibility, perhaps you will take your abuse reports seriously and actually kill off those customers who do use you as a ticket to get spam through.

This is my personal opinion based on my experience of spam emails I have received via the Bonded Sender Program.

One Reply to “The BondedSender Program (BSP) con.”

  1. Return-Path: <everSavebb@pdirectmail.net>
    Received: from mta11.pdirectmail.net (66.151.226.18)
      by plop.pgregg.com with SMTP; 13 Apr 2005 23:00:09 -0000
    Received: by mta11.pdirectmail.net (PowerMTA(TM) v3.0r7) id hbmi0k0676ol; Wed, 1
    3 Apr 2005 18:58:16 -0400 (envelope-from <everSavebb@pdirectmail.net>)
    From: "ShopWise.com" <shopwise@advo.com>
    To: "Paul" <xxxxxxxx@xxxxxx.com>
    Subject: Test and keep Do-It-Yourself Products
    Date: Wed, 13 Apr 2005 18:58:12 -0400
    Message-ID: <SSEBC1.4.62104.8800787.2005041318581245SSEBC@pdirectmail.net>
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
            boundary="—-=_NextPart_29261111221450222618211"
    X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on plop.pgregg.com
    X-Spam-Status: No, score=0.3 required=4.0 tests=AWL,BAYES_00,DCC_CHECK,
           DIGEST_MULTIPLE,HTML_80_90,HTML_IMAGE_RATIO_04,HTML_MESSAGE,
    HTML_SHOUTING3,HTML_WEB_BUGS,MIME_BOUND_NEXTPART,RAZOR2_CHECK,
            RCVD_IN_BSP_TRUSTED,RISK_FREE,SPF_HELO_PASS,URIBL_WS_SURBL
            autolearn=unavailable version=3.0.1
    X-Spam-Level:

    ——=_NextPart_29261111221450222618211
    Content-type: text/plain; charset=iso-8859-1
    Content-Transfer-Encoding: 8bit

    Dear Paul,

    Visit ShopWise.com for great offers like today’s feature offer below.

    Handyman Club of America
    No Risk Free Trial Membership

    Test and Keep Free Do-It-Yourself Products
    hxxp://tx2.pdirectmail.net/trak.asp?xxxxxxxxxxx.30160

    Become a Handyman Club of America Member, and Official
    Product Tester, and you’ll be eligible to test and keep
    great do-it-yourself products.Once you’ve activated your
    membership be sure to fill out your Product Test Profile
    Form and get in line to receive your first test product
    today.

    Click here for a complete list of benefits, a Free trial
    Membership and a complimentary issue of HANDY Magazine.
    hxxp://tx2.pdirectmail.net/trak.asp?xxxxxxxxxxxxxx.30160

    __________________________________________________________________________

    This service is just one more way that ShopWise.com delivers
    savings and convenience.

    Enjoy! Your friends at ShopWise.com

    —-Important Subscription Information—-

    We take your privacy very seriously and it is ShopWise.com’s policy
    never to send unwanted email messages. To view our privacy policy,
    click or paste the following link:
    hxxp://tx2.pdirectmail.net/trak.asp?xxxxxxxxxxxxx.7987.websiteid=2&ref=xxxxxxxxxx

    To cancel your subscription, click or paste this link:

    hxxp://optout.email-advantage.com/service/consumers/OptOut.jsp?ref=xxxxxxxx&websiteid=2&source=handym041305sw

    Copyright 2005 ShopWise.com. All Rights Reserved.

    ShopWise.com
    One Targeting Centre
    Windsor, CT 06095

Leave a Reply to pgregg Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

All content © Paul Gregg, 1994 - 2024
This site http://pgregg.com has been online since 5th October 2000
Previous websites live at various URLs since 1994