SpamZa: corrupting opt-in lists, one list at a time

A number of ESPs have been tracking problematic signups over the last few days. These signups appear to be coming from an abusive service called SpamZa.
SpamZa allows anyone to sign up any address on their website, or they did before they were unceremoniously shut down by their webhost earlier this week, and then submits that address to hundreds of opt-in lists. This is a website designed to harass innocent recipients using open mailing lists as the harassment vehicle.
Geektech tested the signup and received almost a hundred emails 10 minutes after signing up.
SpamZa was hosted on GoDaddy, but were shut down early this week. SpamZa appears to be looking for new webhosting, based on the information they have posted on their website. 
What does this mean for senders?
It means that senders are at greater risk for bad signups than ever before. If you are targeted by SpamZa, you will have addresses on your list that do not want your mail. Some of those addresses could be turned into spam traps.

  1. Check your signups. If you see hundreds of signups coming from the same IP address over a very short period of time, treat them carefully. There are a number of things a sender can do to limit the impact on a list.
    1. Delete the addresses coming from a single IP
    2. Confirm the addresses coming from a single IP
  2. Implement confirmation. Start using closed loop opt-in (double opt-in) on new signups going forward. This will keep future incarnations of SpamZa from corrupting a list. It will also prevent lists from acting as attractive nuisances.
  3. Do not trust vendors. Senders who are are buying a list or using a co-reg provider must confirm all the addresses before mailing them. There are some suggestions that the SpamZa people are selling addresses. Senders must protect themselves and their assets.

The one thing a sender absolutely does not want to do is add any SpamZa collected addresses to a mailing list. This is not a problem that will go away, it is out there in the wild now. This is the time to start implementing protections, not after the horse has left the barn. Confirmation is one of the better ways to protect an asset against this type of interference.
Followup post: Yet More Data Verification

Related Posts

Political Spam

At Adventures in Email Marketing, there is a post up this morning about political spam. It seems Anna discovered that providing her email address on her voter registration card not only results in political groups sending her email to that address, but also that political email does not have to follow the rules of CAN SPAM. The article ends with a few questions and makes some suggestions.

Read More

Verifying email addresses

Over at CircleID Aviram Jenik posts about using email addresses as identification and how that can go horribly wrong if the website does no verification. In his case, the problem is a user who has made a purchase using Aviram’s gmail address and Aviram now has access to the other users personal information. As he explains it:

Read More

That's spammer speak

I’ve been hearing stories from other deliverability consultants and some ISP reps about what people are telling them. Some of them are jaw dropping examples of senders who are indistinguishable from spammers. Some of them are just examples of sender ignorance.
“We’re blocked at ISP-A, so we’re just going to stop mailing all our recipients at ISP-A.” Pure spammer speak. The speaker sees no value in any individual recipient, so instead of actually figuring out what about their mail is causing problems, they are going to drop 30% of their list. We talk a lot on this blog about relevancy and user experience. If a sender does not care about their email enough to invest a small amount of time into fixing a problem, then why should recipients care about the mail they are sending?
A better solution then just throwing away 30% of a list is to determine the underlying reasons for  delivery issues, and actually make adjustments to  address collection processes and  user experience. Build a sustainable, long term email marketing program that builds a loyal customer base.
“We have a new system to unsubscribe people immediately, but are concerned about implementing it due to database shrink.” First off, the law says that senders must stop mailing people that ask. Secondly, if people do not want email, they are not going to be an overall asset. They are likely to never purchase from the email, and they are very likely to hit the ‘this is spam’ button and lower the overall delivery rate of a list.
Let people unsubscribe. Users who do not want email from a sender are cruft. They lower the ROI for a list, they lower aggregate performance. Senders should not want unwilling or unhappy recipients on their list.
“We found out a lot of our addresses are at non-existent domains, so we want to correct the typos.” “Correcting” email addresses is an exercise in trying to read recipients minds. I seems intuitive that someone who typed yahooooo.com meant yahoo.com, or that hotmial.com meant hotmail.com, but there is no way to know for sure. There is also the possibility that the user is deliberately mistyping addresses to avoid getting mail from the sender. It could be that the user who mistyped their domain also mistyped their username. In any case, “fixing” the domain could result in a sender sending spam.
Data hygiene is critical, and any sender should be monitoring and checking the information input into their subscription forms. There are even services which offer real time monitoring of the data that is being entered into webforms. Once the data is in the database, though, senders should not arbitrarily change it.

Read More