I was cleaning out my inbox over the weekend and found a spam that actually made me laugh.
Yes, it is spam advertising the “Official Greed[sic] Card Lottery.” It’s been 20 years since I’ve seen one of those!
Live, work and study in the USA
The American Dream Within Reach
50,000 people and their families will get a green card
Simple registration within 5 minutes
Yeah, we’ll get right on that!
I’ve talked about spamtraps in the past but they keep coming up in so many different discussions I have with people about delivery that I feel the need to write another blog post about them.
Spamtraps are …
… addresses that did not or could not sign up to receive mail from a sender.
… often mistakenly entered into signup forms (typos or people who don’t know their email addresses).
… often found on older lists.
… sometimes scraped off websites and sold by list brokers.
… sometimes caused by terrible bounce management.
… only a symptom …
This morning I woke up to news that Sanford Wallace pled guilty to spamming. Again.
Sanford was one of the very early spammers (savetrees.com). He moved to email from junk faxing when Congress made junk faxing illegal in 2005. He sued AOL when AOL blocked his mail. He lost and the courts maintained that blocking spam was not a violation of the sender’s rights. Sanford then moved on to using open relays to avoid blocks. He was eventually disconnected from his backbone provider (AGIS) for abuse. Sanford sued AGIS for breach of contract and was reconnected for a brief period of time.
After his disconnection from AGIS, Sanford and a few of the other folks proposed a backbone provider that allowed bulk email marketing. That never really went anywhere.
Reading these old articles is a major blast in the past. The legal case between AGIS and Cyberpromotions was the event that led to my involvement in email marketing and spam. I even spent a Saturday afternoon in the late 90s with about a dozen people on a con call with Sanford and Walt talking about his backbone idea. My position was pretty simple: it wasn’t going to work, but as long as there was consent it was his network and he could do what he wanted.
I kinda lost track, just because he moved onto other ways of advertising and I got deeper and deeper into deliverability consulting. He did show up on my radar a few years ago when Facebook sued him for breaking into user accounts and using those accounts to spam. He lost a $711 million dollar judgement to Facebook, but given he didn’t have the resources the judge in that case recommended criminal charges.
Criminal charges were filed a few years later. Yesterday, Sanford pled guilty to fraud and criminal contempt as well as violating a court order to stay off Facebook’s network.
He now faces $250,000 in fines and up to 16 years in jail. Given his history, I expect he’ll figure out some way to still send spam even if he’s locked up.
Sanford is one of the reasons so many folks have such a low opinion of anyone who describes their business as “legitimate email marketing.” Sanford used the same phrase back in the late 90s. Of course no one, with the possible exception of him, actually believed that. But when someone like that adopts the moniker “legitimate email marketer” it’s hard to take them seriously when someone like Sanford has been using that since the late 90s.
Over the last few years I’ve been hearing some people claim that botnets are the real spam problem and that if you can find a sender then they’re not a problem. Much of this is said in the context of hating on Canada for passing a law that requires senders actually get permission before sending email.
Botnets are a problem online. They’re a problem in a lot of ways. They can be used for denial of service attacks. They can be used to mine bitcoins. They can be used to host viruses. They can be used to send spam. They are a problem and a lot of people spend a lot of time and money trying to take down botnets.
For the typical end user, though, botnets are a minor contributor to spam in the inbox. Major ISPs, throughout the world, have worked together to address botnets and minimize the spam traffic from them. Those actions have been effective and many users never see botnet spam in their inbox, either because it’s blocked during send or blocked during receipt.
Most of the spam end users have to deal with is coming from people who nominally follow CAN SPAM. They have a real address at the bottom of the email. They’re using real ISPs or ESPs. They have unsubscribe links. Probably some of the mail is going to opt-in recipients. This mail is tricky, and expensive, to block, so a lot more of it gets through.
Much of this mail is sent by companies using real ISP connections. Brian Krebs, who I’ve mentioned before, wrote an article about one hosting company who previously supported a number of legal spammers. This hosting company was making $150,000 a month by letting customers send CAN SPAM legal mail. But the mail was unwanted enough that AOL blocked all of the network IP space – not just the spammer space, but all the IP space.
It’s an easy decision to block botnet sources. The amount of real mail coming from botnet space is zero. It’s a much bigger and more difficult decision to block legitimate sources of emails because there’s so much garbage coming from nearby IPs. What AOL did is a last resort when it’s clear the ISP isn’t going to stop spam coming out from their space.
Botnets are a problem. But quasi legitimate spammers are a bigger problem for filter admins and end users. Quasi legitimate spammers tend to hide behind ISPs and innocent customers. Some send off shared pools at ESPs and hide their traffic in the midst of wanted mail. They’re a bigger problem because the mail is harder to filter. They are bigger problems because a small portion of their recipients actually do want their mail. They’re bigger problems because some ISPs take their money and look the other way.
Botnets are easy to block, which makes them a solved problem. Spam from fixed IPs is harder to deal with and a bigger problem for endusers and filters.