Spam from mainstream companies

S

Yesterday I wrote about spam I received advertising AARP and used it as an example of a mainstream group supporting spammers by hiring them (or hiring them through proxies) to send mail on their behalf.
My statement appears to have upset someone, though. There is one comment on the post, coming from an IP address allocated to the AARP.

This isn’t from AARP…this is a SPAM that’s been going around for years now. Did you bother looking into the source code to see where it sends you? My guess is it aint AARP…Do you know what your talking about?

What I’m talking about is one reason spam is such a problem. There are large number of mainstream companies, like AARP, that support spammers by hiring them either directly or indirectly.
Sure, the links in the email don’t point directly to the AARP. They go through multiple redirects and end up at https://www.aarpmembership.org/enroll/index.php<encodedlink>. I grabbed a screen shot of the website.

Screenshot of not-the-AARP spam landing page
Doesn't this look like an official AARP website?
If you pull off the encoded end of the link and just go to aarpmembership.com, then you get a 403 forbidden message. That’s what spammers do, put up partial websites to collect information. They don’t bother mirroring the customer’s whole website, they just put up a form to collect information.
Now, it’s certainly possible that this spam is from a group of phishers attempting to use the AARP brand. If that’s true, though, why is the commenter asking me if I know what I’m talking about? Why isn’t he concerned about the AARP brand being advertised in spam?
I’m not trying to pick specifically on the AARP, they’re not the only company to do this. Gerber hired spammers to sell me their baby-insurance package. Gevallia has been advertised by spam for years. The list of companies using spam goes on and on.
But this behaviour — hiring spammers to send mail while being able to claim it was the work of some spammer who just decided to send mail advertising AARP memberships, or Gerber baby insurance, or 500 business cards for a dollar is a major part of the spam problem. This is why the ISPs keep increasing their standards. This is why getting into the inbox is so difficult. This is why just being a legitimate company isn’t enough.

About the author

10 comments

Leave a Reply to Al

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • I generally think you do a stand up job on your posts, and I know it’s tough to keep coming up with relevant, new and interesting posts, but I think your responder may have a point (albeit it nastily worded) about this email in particular that you could have better acknowledged.
    aarpmembership.org is registered to sendtec.com, which at first glance appears to be a rather unsavory group (who happens to have filed for chapter 11 protection last year).
    The IP for aarpmembership.org is a rackspace IP in with whois info pointing to Texas.
    AARP’s real domain, aarp.org (presumably) is registered to AARP and its IP has whois information swiped to them in Washington DC.
    I think there is a fair amount of evidence that these two companies have nothing to do with each other and 5 minutes of detective work on your part would have helped you figure that out. I think perhaps a mea culpa is order :).
    Of course your primary point still stands–large companies need to have better control over what sort of “affiliates” are marketing for them.
    As for AARP, I believe that they are always fighting these sorts of name co-opting scams due to the fact that senior citizens are more easily duped than us young whipper snappers.

  • Justin, I don’t think you’re correct here. This looks to me like an affiliate of AARP — AARP is probably paying the affiliate for any successful signups. I bet you’ll find affiliate conversion tracking code on the final step of the signup process on the AARP website.
    Go back and read your CAN-SPAM — affiliate marketers advertising on behalf of a company can drag that company into legal liability for bad practices.

  • BTW, my point ultimately is, this is spam from AARP. If AARP works with a partner to advertise on their behalf and that partner is doing bad things, liability applies to AARP both under common sense and under CAN-SPAM. Did Laura sign up for this email? Is this email being sent by somebody authorized by AARP to advertise on their behalf? If no to the first, and yes to the second, AARP has just spammed Laura.

  • I think there is a fair amount of evidence that AARP hired sendtec (or hired a marketing company who hired an email company who has an affiliate who hired sendtec) to send ‘acquisition’ mail for them. Sendtec, as with many spamming companies, set up domains to give AARP cover and plausible deniability that AARP was not actually responsible for or benefiting from the spam.
    I don’t believe this is someone co-opting AARP and using it to phish. The reaction of the AARP contractor that posted yesterday only re-inforces this. If someone was sending out this mail advertising “aarpmembership.org” without authorization, I would have expected them to ask for evidence and help in tracking down the company using their name, and copying their signup form. Instead, they simply said “can’t prove it was us.”
    This is exactly the behaviour of mainstream companies that want to use spam, but want enough cover that their brand doesn’t take a hit for being spammers.

  • Fair rebuttals.
    The thing is, that site has an SSL cert with no ownership info (from GoDaddy of all places) and it’s asking for credit card info with a script that posts back to the index.php file.
    That really really really seems like phishing to me.
    The other plausible scenario is that some branch office somewhere is trying to get its membership numbers up.
    Of course, all of this is kind of silly speculation. Your initial point regarding knowing what affiliates are doing with your brand still holds (believe you me… I am dealing with this sort of thing first hand), and I agree with your follow up point that the other poster from AARP should have been much more concerned.

  • Just to mention, the aarpmembership.org domain is now registered with AARP out of Washington. That was discussed up above and wanted to point that out.

By laura

Recent Posts

Archives

Follow Us