Eclectical Engineering

Autoresponders are software “robots” that, er, automatically respond to incoming e-mail messages. They are the engines that power a number of popular enhancements to e-mail service. Under normal circumstances, autoresponders work well and cause no one any substantial grief; when spam mail enters the picture, however, autoresponders can go “rampant” (like the robot villains in video games) and send out tons of irrelevant mail to total strangers. If you use (or plan to use) an autoresponder-based feature in your e-mail setup, you should be aware of these problems and make appropriate allowances.

What do autoresponders do?

Autoresponders are generally found at the heart of services like the following:

Vacation messages. These are probably the textbook example of the autoresponder. Suppose you are all set to sail on a six-week cruise, and you are leaving your laptop behind (and even gamely divesting yourself of your Crackberry). You don’t want your friends and business associates to think you are ignoring their incoming e-mails in the meantime, so you use the “vacation message” feature offered by your e-mail system — you simply compose a generic message explaining where you will be (or where you want people to think you will be) and when you will get back, and then press a button; from then on, every new incoming message will not only be posted to your inbox (as normal), but will also be immediately responded-to with the message you created.

Challenge/response spam filters. Many a frustrated e-mail user has turned his or her e-mail address over to a robot (one known as a challenge/response filter); the robot examines each incoming mail, and if it comes from an untrusted source (i.e., a stranger), the robot will send a response challenging the sender to prove that he is a real human being and not another robot (or a spammer). If the sender meets the challenge (typically by clicking on a web link embedded in the challenge message), then he will be “whitelisted” and his message delivered. If the sender declines to accept the challenge, his mail will remain forevermore undelivered.

Mailing list control. Many old majordomo/LISTSERV-style mailing lists (the kind often used by hobby, social, or professional-interest groups) use a simple but effective e-mail based interface to allow subscribers to join or quit the lists, or to change their list preferences. The list will have a special e-mail address that is monitored by a robot, and the subscriber communicates with it by sending e-mails that contain embedded commands. The robot will extract the commands and execute them, returning any responses to the subscriber.

Automated marketing messages. Many small-time internet marketing gurus extol the virtues of the humble e-mail autoresponder (which, they often say, can do “selling on autopilot”). Here, the would-be marketer sets up a robot that monitors a particular e-mail address; anyone who sends a message to this address gets an immediate sales pitch in response (and the robot will also no doubt remember to put the prospect’s address in a database for later “follow-up” by the marketer or those to whom he sells or rents the data).

Receiver-side mail bounces. Technically, an e-mail system is not supposed to accept incoming mail unless it is pretty confident that it can deliver that mail. However, many systems do not bother to make the necessary checks at the time of message delivery, and then find subsequently that the mail is not deliverable. Under the circumstances, they are then forced to send automatic “bounce” messages to inform the sender that the message did not go through. Even if the mail service isn’t lazy or slipshod, it may in very rare cases have to renege on its promise to deliver an incoming message (e.g., if there is a massive and immediate system failure), and is technically required to send a bounce when it does. Whatever the case, the mail system that chooses to bounce messages it has already accepted effectively becomes an autoresponder.

What’s the problem with autoresponders?

Misfiring autoresponders are part of the general problem of e-mail backscatter or blowback, in which spam mailings generate a secondary load of automated e-mail traffic that, while usually benign, is still pointless, unsolicited, and annoying to its recipients.

Common to each of the types of autoresponder mentioned above is the fact that the autoresponder replies automatically to the party whom it believes to be the proper sender of the original mail. The only information it has about this party are the return addresses that appear in the visible headers of the original message (e.g., in the From or Reply-To fields). If the original message is an “honest” one, then these addresses will more than likely be correct. In the case of spam, however, these addresses are invariably forged and therefore are incorrect. Worse, many of these forged messages may be valid, working addresses belonging to people who were not involved at all with the original message. In these cases, autoresponders’ replies to spam will thus go to people who had nothing to do with the spam. Many of these people will regard errant autoresponder mail as a form of e-mail abuse, and may report it as such. Even those who don’t report are likely to be very confused or angry (or both).

One nightmare scenario for an autoresponder user is the the case in which a spammer decides to forge the robot’s address into his mail. The result of such forgery (depending upon the size of the spam run and the “quality” of the spam list) can be hundreds or even thousands of bounced e-mails being “returned” to the autoresponder, which then duly sends out responses to each. This could dramatically increase the autoresponder’s overall traffic level, and could draw unwanted attention to the operation. Imagine having to explain to your IT department why hundreds upon hundreds of “vacation messages” were sent from your address while you were out for a long weekend!

Making autoresponders smarter

If an autoresponder could somehow tell good mail from bad, it would know to respond to the good mail and ignore the bad mail. There are several ways to give autoresponders the means to suppress misdirected replies:

• If the mail service itself rejects or suppresses delivery of obvious spam mail (through the use of DNS blocking lists or similar means), then the bad mail never reaches the autoresponder and so will not be responded to. 
• The autoresponder can use these same tools on the mail that it does receive to judge the bona-fides of the mail; if the message looks phony, the autoresponder can elect not to send a response.
• The autoresponder can also use more aggressive and comprehensive filters (e.g., Bayesian filters or SpamAssassin) to evaluate incoming mail for its spamminess.
• Autoresponders can check the relevant Sender Policy Framework (SPF) or Domain Keys (DKIM) information (if this information is available) to see whether the mailing has been “authorized” by the provider responsible for it.

None of these methods are absolutely foolproof (in particular, not all services publish SPF or DKIM information, and those who don’t cannot tell the autoresponder that the incoming message is “rogue”), but they are better than nothing at all. These methods are probably beyond the resources of individual end-users of e-mail, but can certainly be managed by a mail provider of any size or sophistication.

Should you use an autoresponder?

I assume that you, like most people, want to be a good “netizen” and avoid placing unnecessary hardships on innocent parties through indiscriminate automatic e-mailing. Not using autoresponders at all would certainly be a very good idea in this regard. However, you may not want to (or be able to) forego the benefits of autoresponder services. Here are some points to consider:

• If your spam volume is currently exceptionally low (whether through happy accident or effective filtering), then your risk of sending misdirected autoresponder mail is also likely to be very low, so you might be able to get away with an occasional vacation message as long as you don’t make a long-term habit of it. However, you must live with the possibility that every spam you receive while in “vacation mode” has resulted in at least one misdirected autoresponder message.
• Find out whether your provider’s (or employer’s) autoresponder services are protected using one or more of the methods described above; if so, then the risk of misdirected responses may be greatly reduced.
• Some employers may encourage (or even require) their staff to use vacation autoresponders whenever they plan to be away from the office, so that important business mail is at least responded to (if only by a robot). If yours is one of them, you might share this article with your management or IT department, and then suggest a change in policy. Temporarily redirecting your business mail to colleagues or administrative staff, for instance, might actually be more effective than using an autoresponder, since this holds out the hope that a human being might be able to respond positively to an urgent appeal (which the autoresponder cannot do).
• If you currently use a challenge/response spam filter, it might be time to reconsider the practice. C/R filters have high false-positive rates (since every untrusted mail is assumed guilty until proven otherwise), and as we have seen they are prone to misdirected challenge messages. Your freedom from spam is coming at the expense of strangers who receive your misdirected challenges, and potentially fruitful correspondents who cannot or will not respond to challenges.
• If you manage a mailing list, you may want to secure your list’s robot address with effective spam filtering, and to limit its replies only to bona-fide subscribers wherever possible (you might have to block this robot from signing up new subscribers, instead using some more secure form of invitation or separate application). Or, consider migrating your list to a more modern web-based mailing list or bulletin board system (such as GoogleGroups or Yahoo! Groups).
• If you are using an autoresponder simply to blindly send out marketing messages, consider using more conventional means of promotion other than unsupervised e-mailing (which can quickly turn into mail abuse or spam). I suspect that marketing-autoresponder addresses by their nature may attract a greater volume of spam than “private” e-mail addresses, so your autoresponder may wind up burning a bearing responding to spam, and spreading your “message” to many people who did not ask to see it — the very definition of spam.