Google and Amazon and B2B spam

Many of the operational goals of a commercial spammer aren’t related to email delivery at all, rather they revolve around optimizing ROI and minimizing costs. That’s even more true when the spammer isn’t trying to sell their own product, rather they’re making money by sending spam for other companies.
Most legitimate network providers pay at least lip service to not allowing abusive behaviour such as spam from their networks, so a spammer has to make a few choices about what infrastructure to use to optimize their costs.
They can be open about who they are and what they do, and host with a reputable network provider, and build out mailservers much as any legitimate ESP would do. But eventually they’ll get blacklisted by one of the more reputable reputation providers – leading to little of their mail being delivered, and increasing the pressure on their provider to terminate them. They social engineer their provider’s abuse desk, and drag their feet, and make small changes, but eventually they’ll need to move to another provider. Both the delaying tactics and the finally moving are expensive.
Or they can host with a network provider who doesn’t care about abuse from their network, and do the same thing. But they’ll still get blacklisted and, unlike on a more reputable network, they’re much less likely to get any benefit of the doubt from any reputation providers.
Every time they get blacklisted they can move to a new network provider. That’s easy to do if your infrastructure is virtual machine based and moving providers just involves buying a new hosting account. But as anyone who’s heard the phrase “ramping-up” knows mail from new network space is treated with suspicion, and as they’re continually moving their mail won’t reach the inbox much.
Preemptively spreading the sources of your spam across many different IP addresses on different providers, and sending spam out at low enough levels from each address that you’re less likely to be noticed is another approach. This is snowshoe spam and spam filters are getting better at detecting it.
What to do? In order to get mail delivered to the inbox the spammer needs to be sending from somewhere with a good reputation, ideally intermingled with lots of legitimate email, so that the false-positive induced pain of blocking the mailstream would be worse than their spam. That’s one reason a lot of spammers send through legitimate ESPs. They’re still having to jump from provider to provider as they’re terminated, but now they’re relying on the delivery reputation of the shared IP pools at each new ESP they jump to. But that still takes work to move between ESPs. And ESP policy enforcement people talk to each other…
As a spammer you want your mail to be sent from somewhere with good reputation, somewhere you can use many different accounts, so your spam is spread across many of them,  flying below the radar. Ideally you wouldn’t have any documented connection to those accounts, so your activity won’t show up on any aggregated monitoring or reporting.
If nothing in the mail sent out identifies you there is nowhere for recipients to focus their ire. And if recipients can’t tell that the hundreds of pieces of spam in their inbox came from a single spammer, they’re much less likely to focus efforts on blocking that mail stream.
Over the past couple of years I’ve seen a new approach from dedicated B2B spammers, the sort who sell “buy and upload a list, blast out something advertising your company, track responses, send multiple mails over a series of weeks” services to salespeople. They’re the ones who tend to have glossy, legitimate websites, talking about “lead nurturing”, “automated drip campaigns” or “outreach automation”.
They have each of their customers sign up for gmail or google apps accounts, or use their existing google apps accounts, and then the spammer funnels the spam sent on behalf of that customer through that google account. There’s no obvious connection between the spammer and the google account so there’s no risk to the spammer. Google is fairly unresponsive to spam complaints, so as long as the volume sent by each customer isn’t spectacularly high it’s going to be well below Google automation’s threshold of notice.
Google do record where mail that’s injected into their infrastructure in this way comes from, in the Received headers. But the spammers run their sending infrastructure – list management, message composition, tracking and so on – on anonymous, throwaway virtual machines hosted on Amazon’s EC2 cloud, so there’s nothing in the email that leads back to the spammer.
And, for recipients, that’s a problem. Spam filters aren’t going to block this sort of mail, as they can’t easily tell it is this sort of mail. It’s coming from Google MTAs, just like a lot of legitimate mail does. In terms of sheer volume it’s dwarfed by botnet sourced mail or dubious B2B manufacturing spam out of Shenzhen. But, unlike most of that, it’s in your inbox, in front of your eyeballs and costing you time and focus. And that’s much more expensive than network infrastructure or mailbox storage space.
I’m not sure what, if anything, Google or Amazon can do about it at scale, but it’s something that’s going to need to be dealt with eventually.
Meanwhile, if you receive some marginally personalized mail from a sales rep, one attempting to look like 1:1 mail, look at the headers. If you see something like this …

Received: from nordvpnmedia.com (ec2-23-22-26-38.compute-1.amazonaws.com. [23.22.26.38]) by smtp.gmail.com

… at least now you know something about where it came from.

Related Posts

Targeted marketing done badly

There was quite a bit of content I cut out on my rant about parasites in the email ecosystem earlier this week. I had whole section on people who ask to connect on LinkedIn and then immediately send a pitch or scrape your address and add it to their marketing automation software and start spamming. Generally, the only reason I will drop someone off LinkedIn is because they do this.
envelopes
Today, one of the deliverability mailing lists has been hopping over spam many folks in the industry received. The discussion started off simple enough, someone said “Is <companyname> spamming the industry?” People immediately chimed in that yeah, it did appear so.
A few people said they’d gotten the message and thought it was personal and were disappointed it wasn’t. Others weren’t sure why they were chosen to receive this message, or why some of their co-workers were chosen. A few of us didn’t get them. I didn’t.
This is a great example of marketing that was reasonably well planned, but a total fail for not knowing their audience. The product in question is an anti-abuse product. The company wants to reach people in the anti-abuse industry. They go off and find people in the anti-abuse industry and send them an email. Mail that seems personalized. It was a perfectly reasonable email. It asked questions and did get some people to engage with it by replying. They even appear to have done A/B testing on subject lines.
All solid marketing decisions. All great things to do.
But, the anti-abuse community is small, particularly the ESP anti-abuse community. We talk on mailing lists, IRC, LinkedIn, Facebook and Slack – and those are just the places I’m connected to. I’m sure there are other meeting places. The fact is, we’re a community and we do interact. If you’re going to try and do something like this, you have to expect that we’re going to realize you’re spamming. And many of us have very low tolerance for this kind of stuff.
A few years ago I worked with some senders who acquired most of their email addresses from technical conferences. They had a lot of delivery problems because a lot of their audience were the people who wrote and maintained filters. Spam the person who writes a spam filter and you may find yourself locked out from all of those filter users. I finally realized I couldn’t help those clients. No amount of technical perfection, personalization, looking like one-to-one mail or magic address cleaning is going to make this audience want your mail.
Marketing starts at understanding your audience. Permission is one of the better ways to understand your audience. Marketing to the anti-abuse crowd is a challenge. I can’t see any place where unsolicited email successfully fits into that plan.

Read More

Outreach or spam?

This showed up in my mailbox earlier today:
Pluckyou
The tweet in question
pluckyou2
From Crunchbase: “Pluck is an email prospecting tool that gives you the email addresses of the people tweeting about subjects related to your business.”
Prospecting: another name for spamming. Look, I know that you want to sell you’re newest, greatest product to the world. But just because I tweet something with a # that you think is relevant to your product doesn’t mean that I want to get your spam. I also know it’s hard to get attention and find prospects; I’m a small business owner, too and I need to market my own services. But spamming isn’t a good idea. Ever.
There’s been a significant increase in this kind of spam “to help your business” lately. It’s a rare day I don’t get something from some company I’ve never heard of trying to sell me their newest product. It might be something if they tried a contact or two and then went away. But they’ll send mail for weeks or months without getting an answer. Look, silence IS an answer and it means you need to go away and leave your prospects alone.
Unfortunately, there are services out there that sell a product that let you “automatically follow up” with your prospects. Pluck up there uses one of them, as that’s who’s handling all the links in the message. In fact, if you go to the bare domain (qcml.io) they talk a good anti-spam game. “Die, spammers, die.” I reported the message to them. I’m not expecting them to actually do anything, and I’m not expecting a response.
It’s just spam under another name. There’s no pretense that it’s anything else. Even if it’s sent in a way that makes it look like a real person typed the message, like QuickMail offers. “All emails will come straight out of your personal inbox as though you typed them yourself.” As if you typed them yourself.
The worst part is there’s no real way to stop the mail. I can’t unsubscribe. The companies selling the software don’t provide any guidance to their customers about what the law requires. Take the message from Pluck that started the post. It violates CAN SPAM in multiple ways. Moreover, the address they used is not publicly associated with my twitter handle, which means they’re doing some harvesting somewhere. That means treble penalties under CAN SPAM.
I could reply and ask them to stop mailing me. I’ve done that a couple times with a message that says, “Please don’t email me any more.” I’ve got to tell you, some people get really mad when you ask them not to email you. Some just say yes, but others are really offended that you asked them to stop and get abusive. It’s gotten to the point where I don’t ask any more because of that one person who decides to harass, threaten and scream at me. Sure, it’s maybe 1 in 5, but I don’t have the time or energy to figure out who is going to be receptive and who isn’t. I don’t have time for that. No one has time for that.
I’m expecting that filters are going to catch up eventually and these types of mail will be easier to filter out. Until then, though, small business owners like myself are stuck in a place where we have to deal with spam distracting us from our business. At least I get blog content out of it.
 
 
 

Read More

If I can't tell, it's spam

Judging by the amount of B2B spams I’ve gotten this past week, a number of businesses got bright, shiny new email programs for Christmas. “Like to set up a call with you…” “Just need 10 minutes of your time to explore…” “Love to jump on a call and tell you about our product…”
That’s just the mail that comes into my personal address. There’s also a raft of mail coming into our contact address. The majority of those are trying to sell me FB or Twitter followers, although Instagram is rising in the ranks. Some of those messages are kinda funny, though. They try so hard to pretend there’s a real person who really did look at our website and who really has a comment.
Most of the time it’s pretty obvious that it’s not from a human. But every once in a while a message comes in that might be from a real person. I’ve finally decided that if I have any question if a message was written by a human or a bot, it will be treated as written by a bot.
Unfair? Maybe. But I’m a small business owner and a consultant; I don’t have tons of spare time to sit around letting folks pitch me on their business. I don’t think I’m actually that unusual when it comes to entrepreneurs. We’re busy, we don’t like distractions and we go out and search for the things we actually do need.

Read More