Messaging

E-Mail Marketing System Pays ISPs, Eases Filtering

While charging money to send e-mail is not new at all, the details of the system embraced by AOL and Yahoo! include several unique elements.

by Alex Goldman ISP-Planet Managing Editor [February 10, 2006]

Mountain View, Calif.-based Goodmail Systems has attracted attention recently with the announcement that both AOL and Yahoo! are now customers. The company was founded two years ago by Richard Gingras, now CEO, and Daniel Dreymann, now senior vice president of product, engineering, and operations.

Dreymann has worked in VoIP and e-commerce companies, on the technical side, and for Israel's Air Force, also in technology.

Gingras has worked in content, web services, and platforms, in companies as varied as Laszlo Systems and Excite@Home. He began his career with Apple Computer. He managed the initial development of Salon magazine.

So what led him to build an e-mail protection company in what was already a crowded field?

"I had a sense that e-mail is a great and powerful medium, but there was also my frustration with the evolving disfunctionality in the medium," explains Gingras. "You can no longer rely on e-mail being delivered. And it's even more difficult for even the most legitimate high volume messages. I had a sense that trust was disappearing quite fast."

All of that was without phishing. Because of new threats, the mission of Goodmail Systems has become even more urgent. "When we started the company, phishing wasn't even a word," admits Gingras. "What's going on here is a classic tragedy of the commons. We want it to be okay for everyone to have an e-mail address. We don't want you to need to have an ID card to get an e-mail address. Anonymous e-mail is okay."

In the e-mail ecosystem, phishers have targeted the most valuable companies, but, in a strangely Darwinian way, have provided a market opportunity for Goodmail. Initially, the company's customers should be those same companies that are the target of phishers, such as financial companies.

"Originally, financial institutions were the targets," says Gingras. "Phishing attacks try to leverage customers' trust in a brand name by spoofing it."

Financial institutions are particularly concerned about customers' trust in e-mail. "The situation is that open rates and click through rates are going down, driving deliverabilty down. Some customers will not open an e-mail from a financial institution, and at this moment, financial institutions are trying to move beyond paper."

The good mail solution
The Goodmail system won't solve every problem that an ISP has; it will solve the problems of large institutions that send a significant portion of the world's legitimate bulk e-mail. "We protect members by IDing commercial messages that are categorically good and safe," explains Gingras.

To do so, the company charges a fee to senders and pays a portion of that fee to the ISP whose members receive the e-mail.

The company accepts only the best senders. "The first step is to accredit the senders. We do company background checks. We check the information they gave us. At this point, if a business has been in operation for less than one year, we won't provide service to them, because we are unable to have what we call a legal path of accountability to them. We check their past sending behavior, how they are managing unsubcribes, their complaint level at our AOL and Yahoo! partners. If they have a good record, we put them into the system. Please note that we do continue to monitor their behavior as they use the system. We need to be sure they're adhering to the AUPs we set in conjunction with our ISP partners."

The company has built a public key infrastructure (PKI) and inserts a pair of cryptographic tokens into the x header space of each message, Gingras says. In addition, companies disclose their planned mail behavior and if they break the pattern, Goodmail can warn the sender and can disconnect them from the system by revoking their tokens.

In order to make the PKI as efficient has possible, Goodmail is setting up hundreds of token generators around the world. "We have a clever approach to PKI," he says. "First we check to see that the token is there. Then we check to see that it came from a legitimate generator. Once that token passes (it can be cached), it pulls a second public key in the token itself. We validate the token with respect to the sender and the message. The first key is 2048 bits, and the second key is 768 bits. We make it efficient in two ways. First, the receiving ISP doesn't have to touch the internet cloud to validate the message (it just has to check the cloud regularly to see if we have revoked any key). Second, the MIPs required to validate the key are less than the MIPs required by a content filter."

But surely no security system is perfect? "We can increasingly marginalize the risk, and we can respond to new information, by anybody who says they have a security system that cannot be compromised is a fool," Gingras admits, bravely.

But even large companies can be bad actors. We bring up the examples of Sony and Symantec who have been installing rootkits on their customers' computers. Gingras points out that this particular attack was not delivered over e-mail, but he accepts our point. "We know that there are Fortune 500 companies that don't qualify because their sending practices yield complaint levels that are unacceptable to Goodmail and its partners Yahoo! and AOL.

Payback
ISPs spend good money to protect customers. Gingras says that the Messaging Anti-Abuse Working Group (MAAWG), with which Goodmail is working, estimates that the average ISP spends $8 to $12 per year protecting each customer's mailbox. ISPs that sign up for the Goodmail program will be able to defray a portion of that cost, and will be able to send some of the good mail directly to customers, reducing the load on e-mail filtering systems. "We will help reduce the cost. We're not suggesting that this will be a windfall to ISPs," explains Gingras. "It's just a way of offsetting other costs."

He expects companies to pay 1/4 of a cent per e-mail. A portion will go to Goodmail and a portion to the receiving ISP. Marketers tend to think in cost per thousand or cost per million, so the price would be $2.50 per thousand messages and $2,500 per million.

So far, Goodmail is working with Yahoo! and AOL. It expects to reach smaller ISPs through companies that offer outsourced e-mail, such as Tucows. Details of how the company will work with such providers were unavailable, but Gingras assured us, "we will look to be working with various providers to get the solution as deep into the ISP universe as possible."

Of course filtering and anti-virus and anti-spam will continue. That's not the problem Goodmail's built to solve. "We're about the good mail," explains Gingras.

AOL is one happy customer
AOL's spokesperson, Nicholas Graham, says that the adoption of Goodmail will not affect the company's numerous anti-spam efforts. "We will continue to filter mail and to build on our success in fighting spam."

Asked why AOL chose Goodmail, Graham says, "we did our homework. We looked at their processes extremely thoroughly. They believe in the fight against spam, in setting a high threshold, as much as we do."

We ask whether the Goodmail system might create a perverse incentive to raise the spam thresholds. "We will still maintain our free whitelist, and reserve the right to make any necessary and appropriate changes to protect our whitelist. We continue to deliver the best experience possible and our guidelines are designed to ensure our members receive the safety and security they deserve."

Pressed further on this point, Graham is upset. "I harbor exasperation with people who feel they should be in control of how we deliver e-mail to our members," he said.

Companies that wish to be placed on AOL's whitelist need to conform to the procedures outlined on AOL's postmaster site.

We ask how AOL is talking about the rollout of Goodmail to its members. Graham replies, "Goodmail is not yet implemented, so we have not yet communicated with our members. When this gets implemented, there will be education and awareness."

He tells us AOL expects to roll out Goodmail in early March.

He adds that AOL does work with other companies in the fight against bad actors, and cites the company's "willingness to work with Yahoo! to test Domain Keys."

Graham has effusive praise for Goodmail. "Goodmail is an excellent company. We did our homework and had discussions with a number of people. We don't provide details about discussions with potential partners or vendors. The door is always open to someone who has a good idea to deliver e-mail to our members."

— End