Audit trails are important.

One of the comments on my Spamtraps post claims that audit trails should be maintained by recipients, not senders.

If people are using legitimate email addresses that legitimately opted in and verified details, they should be required to have a log of which lists they opted in to. You are just asking to hurt legit mailers.

The underlying reasoning appears to be that no sender ever spams, and every recipient or spamtrap owner is just too dumb to remember what they signed up for. If the recipient maintains a list of where they sign up, then spam will be a solved problem.
This is not only an unpersuasive line of argument, it’s also pretending that mailboxes are full of opt-in mail that the recipient just forgot about signing up for.
I do keep track of where I sign up for things. This doesn’t actually help when I get spam. For instance, I know that the address ticketmaster keeps spamming for raves in London was never used to sigh up for anything. Yet ticketmaster keeps telling me it was. They, of course, can’t tell me when or from where, so I treat the mail as spam.
I know that another address did sign up at a client’s site in 2007 as part of an audit I was doing for them. In 2010 that address was leaked to (or stolen by) a bunch of affiliate spammers. In the last 18 months I’ve gotten over 19,000 offers to the address, none of which are related to the original signup. Many of those offers are from real brands, including some that have hired me to investigate their affiliate programs and larger delivery problems.
I know another address was used during correspondence with a vendor discussing payment terms. That address was never given to them to add to a newsletter. They mailed me anyway. I knew that the mail was spam.
Knowing what you signed up for and having a log of what you opted in to doesn’t do anything to stop a sender from sending spam. It also doesn’t help legitimate mailers who may end up with spamtraps on their list. In all of the above situations my knowing where the address was given doesn’t help me or the sender identify what part of their signup process is broken.
If, however, senders had a real audit trail for addresses, they could identify what import brought my address into their list. They could track the dodgy vendor that is selling them bad lists. They can identify the problematic import that brought employee address books into the newsletter database. They could identify what idiot used my email address to buy tickets in London.
If the senders knew what was broken, they could fix the problem and have more deliverable and more responsive mailing lists. Without an audit trail, however, they’re stuck with a bunch of addresses of unknown provenance.

Related Posts

Uptick in botnet spam

There’s been a heavy uptick in botnet spam over the last few days, judging by things I’m hearing and my own mailboxes. There are a few common subject lines, but all of them are trying to get recipients to either run programs or visit malicious web pages.
The first subject line I’m seeing a lot of is “<name> wants to be friends with you on facebook!” In my mailbox most of those names have not been common European names. The give away that this isn’t actually a Facebook invite is the Reply-To address pointing to Linkedin. The URLs in the message appear to be random strings of numbers, and may actually encode recipient information in them.
The second has a subject that that is a variation on “End of July Statement.” The spammers are mixing capitals, adding in “Re:” and “FWD:” and sometimes increasing the urgency by adding required or STAT!! to the mail. These mails contain a .zip file which probably contains some virus which will turn the recipient machine into the next spam spewing bot.
The third variation has the subject line “Uniform Traffic Ticket.” The content is a citation that tells the recipient they were speeding somewhere in New York (possibly other states, I have only done a spot check of the couple hundred copies I have). There is, however, a .zip attachment with a virus.
Most people probably aren’t seeing these. SpamAssassin is doing a reasonably good job here of catching the spam and filtering it. I’m sure that the bigger ISPs are also filtering it effectively. But one person did forward a copy of the spam to a mailing list and ask if anyone knew what was going on.
If you get any of these messages, you don’t need to ask. It’s virus spam. Don’t open it and don’t forward it.

Read More

Defeating spamfilters through obsession

[The harasser] was hitting me on email and twitter for more than [2100 messages], and the thing was, those all got past the filters I’ve got in place. So one obsessed crazy man with minimal technical skill and nothing but persistence outperforms all the spambots out there, at least on the scale of individuals, if not in breadth of attack.
PZ Meyers

Read More

ESPs, complaints and spam

Steve wrote a while back about how Mailchimp handled his complaint.
Sadly, I have a counter example from recently.

Read More