SpamZa: corrupting opt-in lists, one list at a time

A number of ESPs have been tracking problematic signups over the last few days. These signups appear to be coming from an abusive service called SpamZa.
SpamZa allows anyone to sign up any address on their website, or they did before they were unceremoniously shut down by their webhost earlier this week, and then submits that address to hundreds of opt-in lists. This is a website designed to harass innocent recipients using open mailing lists as the harassment vehicle.
Geektech tested the signup and received almost a hundred emails 10 minutes after signing up.
SpamZa was hosted on GoDaddy, but were shut down early this week. SpamZa appears to be looking for new webhosting, based on the information they have posted on their website. 
What does this mean for senders?
It means that senders are at greater risk for bad signups than ever before. If you are targeted by SpamZa, you will have addresses on your list that do not want your mail. Some of those addresses could be turned into spam traps.

  1. Check your signups. If you see hundreds of signups coming from the same IP address over a very short period of time, treat them carefully. There are a number of things a sender can do to limit the impact on a list.
    1. Delete the addresses coming from a single IP
    2. Confirm the addresses coming from a single IP
  2. Implement confirmation. Start using closed loop opt-in (double opt-in) on new signups going forward. This will keep future incarnations of SpamZa from corrupting a list. It will also prevent lists from acting as attractive nuisances.
  3. Do not trust vendors. Senders who are are buying a list or using a co-reg provider must confirm all the addresses before mailing them. There are some suggestions that the SpamZa people are selling addresses. Senders must protect themselves and their assets.

The one thing a sender absolutely does not want to do is add any SpamZa collected addresses to a mailing list. This is not a problem that will go away, it is out there in the wild now. This is the time to start implementing protections, not after the horse has left the barn. Confirmation is one of the better ways to protect an asset against this type of interference.
Followup post: Yet More Data Verification

Related Posts

Social network sends spam

Yesterday we talked about social networks that harvest the address books of registered  users and send mail to all those addresses on behalf of their registered user. In the specific case, the registered user did not know that the network was going to send that mail and subsequently apologized to everyone.
That is not the only way social networks collect addresses. After I posted that, Steve mentioned to me that he had been receiving invitations from a different social network. In that case, the sender was unknown to Steve. It was random mail from a random person claiming that they knew each other and should network on this new website site.  After some investigation, Steve discovered that the person making the invitation was the founder of the website in question and there was no previous connection between them.
The founder of the social networking site was harvesting email addresses and sending out spam inviting people he did not know to join his site.
Social networking is making huge use of email. Many of my new clients are social networking sites having problems delivering mail. Like with most things, there are some good guys who really do respect their users and their privacy and personal information. There are also bad guys who will do anything they can to grow a site, including appropriating their users information and the information of all their users correspondents.
It is relatively early in the social networking product cycle. It remains to be seen how much of an impact the spammers and sloppier end will have. If too much spam gets through, the spam filters and ISPs will adapt and social networks will have to focus more on respecting users and potential users in order for their mail to get delivered.

Read More

CAN SPAM compliance.

Over on the ET blog, Al posted about how CAN SPAM compliance is not sufficient for you to not be spamming.
It’s a bit different perspective, but very complimentary to my post yesterday about what is and is not spam. He and I have both heard from ISP people about how many requests for whitelisting or unblocking are prefaced with, “We comply with CAN SPAM” and how meaningless that statement really is. Al has a longer discussion of why.

Read More

How to be a spammer

JD had a comment on my Valentines day semi-fluff post, that really summed up the reality for senders. He said

Read More