I did an earlier post about domain name scams. ILSCORP was really pushing the boundaries on marketing ethics.

On Monday of this week I received a letter from the Domain Registry of America about a domain name I registered for my mother-in-law a year or two ago. It is leaps and bounds better than the ILSCORP, but it still leaves me a little uncomfortable.

The Good

It uses the word "switch" in the 2nd sentence helping the reader understand that DRoA is not your current registrar. The text "This notice is not a bill" appears twice in the letter; it appears bolded the first time. They have a paragraph about our right to change registrar's when we renew, again emphasizing that they are not the current registrar. Pretty good, in my opinion.

The Bad

The design of the document is built to pull your eye away from the informative text and focus your attention on other things. Three main sections get the attention: a section with the domain name & a "reply requested by" date, a section listing costs for different terms of registration, and a section listing prices on similar domains. It seems likely to me that a casual reader will simply see this as renewing their domain and never think about it being with a new provider.

The second "This notice is not a bill" is squished between larger and heavier fonts on the detachable portion to send in with your money. Not great.

The fine print on the back is almost comically small. It has to be 3 to 4 point font and is a grey color rather than a higher-contrast black. Again, it smells of design built to draw attention away from potentially important information for a consumer.

Competition

This letter seems to add customers to the Domain Registry of America through subtlety. True, there may be some existing domain registrar that doesn't warn its customers that their domain is expiring. The DRoA is then providing a meaningful service. But I'm guessing they mostly get customers because the folks don't realize that they are switching to someone new and maybe not getting the best deal (DRoA charges $25 for one year of registration...there are significantly less expensive registrars out there).

Customers benefit when there is more direct competition between providers on core issues. Customers then choose new companies based on a feature/price ratio that makes sense to them and companies that better meet needs get more customers.

I was just reading through a competitor's web site yesterday and saw where they had an add-on support package where their customers would be guaranteed a response to an email question within 48 hours. 48 hours?!? Maybe that's a big step up from a free email provider.

Needless to say, I believe we're a huge step up from a situation like that. And we're working on doing even more!

-Kirk

I received this comment in response to an earlier blog entry:

Is there any chance of webmail.us implementing greylisting? Here is a link about it: http://projects.puremagic.com/greylisting/whitepaper.html I have yet to see a downside.... Thanks, Zachary

Zachary-- thank you for the question and the answer is: probably not anytime soon. I'm putting this as a separate blog post because I think it is a really good general question and the explanation for my answer might be useful to others.

What Is Greylisting?

First, let's talk about whitelisting and blacklisting. A whitelist is a list of email addresses and/or Internet Addresses that someone knows as "good" senders. A blacklist is a corresponding list of known "bad" senders. Clicking "trust sender" in the webmail interface puts a user on a whitelist. Clicking "report spam" doesn't blacklist the sender, but does submit the message to our filtering software so that it can learn to recognize the new type of spam.

The link Zachary sent along is a great explanation of the concept of greylisting. It is an approach that says, "I don't know who you are so I'm going to make your email message jump through some extra hoops before I accept it." So an email from an unrecognized sender is neither on the whitelist or the blacklist and therefore is treated differently.

Greylisting works by telling the sending email server to resend the message sometime soon. Most spammers right now set their software to blindly transmit their spam email and the software doesn't understand the "resend soon" message. Thus, the spam would never actually be delivered.

One Weakness

There is one weakness to this approach in a business or high-performance personal setting: the delay and resend may take up to an hour. Many businesses receive email from new customers regularly, whose email would be delayed by the greylisting rules, and the delay could have a significant business impact. And if you frequently get email from "friends of friends", then greylist might cause you problems, too.

A second potential weakness is that it seems to Bill Boebel, our CTO, that updating spammer software to follow greylisting rules would be just too easy to implement. So as more people used greylisting it seems likely to stop working altogether as spammers adjusted.

Choosing Your Approach To Spam

There is no wrong approach, just a few choices that will make your mailbox work in a way that's most useful to you.

I've included some info in earlier posts about how we filter spam. The summary is blacklists, keyword recognition, and some very intelligent programming in SpamDNA(r). But our customers can also use desktop anti-spam software and 3rd party services to add more layers if that better meets their needs.

-Kirk

Some people think that there is a conflict between being a global endeavor and a good local corporate citizen.  But we love being in a beautiful place near Virginia Tech.  I've read about more and more high-tech companies moving to places with better quality of living, shorter commutes, and a healthier lifestyle; as long as they can stay well-connected.

We try to support our local business friends when we can.  Today we're participating in a Business and Home Expo put on by The Montgomery County Chamber of Commerce.  If you happen to be in our neck of the woods, check out the Expo at The Event Centre, 1655 Roanoke Street (between exits 118A and 118B on I-81), Christiansburg, Virginia.  It runs from noon until 7:30pm and should be a lot of fun with a lot of interesting people and displays.

-Kirk

The story is over on our CEO's blog: Small Town, Big Ideas : Capital Raising: The Story Behind the Story.

We were in a local paper as well: The Roanoke Times.

And just to reiterate an important fact from both links: we have been cash flow positive for some time now and growing like mad especially for the last 18 months or so.  Unlike the dot-com-bubble days, investors are looking for actual returns on investment!

-Kirk

I was shown an email today that talked about the creation of a 411 lookup service for cell phones and a big rush in cell phone telemarketing that would follow.  The email encouraged readers to sign up for the federal government's Do Not Call registry by dialing a phone number.

Fact Mingled With Fiction

Yes, there really is a cell phone 411 service being created.  Yes, the federal government has a registry of phone numbers that most telemarketers are required to avoid.

But...

The 411 service is being built for consumers and does not support telemarketing.  It is like 411 for regular phones: call and ask for a person by name and area to get a phone number.

The national Do Not Call registry is only for home phones.  We can all hope that if cell phone telemarketing ever begins in earnest that the registry will allow cell phone numbers to be listed, too.

Read more at snopes.com and urbanlegends.about.com.

-Kirk

Here is an article with a lot of interesting facts and figures about viruses in 2004: CRN.

I won't ruin the article, but a lot more viruses caused problems, the average time it took to recover became longer, and (not suprisingly) costs to recover went up.

I'll renew my earlier recommendation that multiple layers of anti-virus protection be used whenever possible.  Putting two anti-virus programs on the same computer is generally not a good idea, but protecting servers-- and particularly email servers-- as well as regular desktop machines should be standard practice.

Some Anti-virus Programs

There are some anti-virus programs that are free for noncommercial use (see their sites for definitions).  Here are three that I have tried at various times:

Avast! free home edition
Antivir personal edition
AVG free edition

There are *way* too many commercial anti-virus programs for me to track.  All of the products above have corresponding commercial programs, but here are a few more for small businesses:

McAfee
Symantec
Panda Software
Trend Micro
F-Prot

We Use

On our email servers we use F-Prot for servers with ClamAV, an open-source anti-virus program that works on Linux.  We encourage our customers to use another layer of anti-virus software on their desktops & laptops!

-Kirk

We recently hired a great technical writer to help us with a lot of projects.  There are now some new documents at our Setup email client page for Netscape Mail and Mozilla Thunderbird.  I really like the new formats we're moving to and hope that we can get the old docs redone within the next couple of months.  And keep your eyes open for a Webmail user guide in the next few days.

Outlook Express With IMAP Tip

Outlook Express allows email you send using IMAP to stay synchronized with the Sent folder in Webmail, although this isn't how OE handles sent mail by default.  To make the change go to Tools -> Accounts -> Mail (tab) -> Properties -> IMAP (tab).  For our email system (or any other system based on courier-imap), put 'Inbox' for the root folder, and 'Sent' and 'Drafts' for the other two folder names below.  After clicking OK Outlook Express will take just a moment to reset its folder information.

To make sure that Sent and Drafts stay up to date, right click on each of those folders then choose to synchronize all messages in the folder.

If you want to do the same thing using Outloook, follow these instructions from Microsoft.

-Kirk

I.m not going to blog every time SANS kicks out a slightly elevated threat level. If that.s the sort of thing you *want*, subscribe to their alert feed here.

The subject of the threat is about .DNS Poisoning.. I wrote about pharming (which is the cool way to say DNS poisoning) a couple of weeks ago. But the gist of the alert from the SANS folks is that there are some very specific attacks against certain DNS Servers (not clients) going on right now and that it has been building over the course of about a month.

Amazement & Dismay

When I read about these sorts of things I have an internal dialogue with two conflicting viewpoints. First, how the heck has the Internet, by-and-large, not had any big problems with Bad People hijacking DNS servers? Second, how the heck can big-name vendors be sending out products with such serious security problems?

What can you & I do?

Probably nothing. We use UNIX-based DNS here so we.re not considered vulnerable by SANS.

If you happen to be Windows or Symantec Gateway administrator, please be sure your software is patched to the latest specs and configured in a secure way. Here is a guide to securing Windows 2000 DNS. Here is some info from Symantec about issues with their products.

-Kirk