What about the spamtraps?

I’ve been slammed the last few days and blogging is that thing that is falling by the wayside most. I don’t expect this to change much in the very short term. But, I do have over 1200 blog posts, some of which are still relevant. So I’ll be pulling some older posts out and sharing them here while I’m slammed and don’t have a lot of time left over to generate new content.
Today’s repost is a 2015 post about spamtraps.
Spamtraps are …
… addresses that did not or could not sign up to receive mail from a sender.
… often mistakenly entered into signup forms (typos or people who don’t know their email addresses).
… often found on older lists.
… sometimes scraped off websites and sold by list brokers.
… sometimes caused by terrible bounce management.
… only a symptom …

… of a bigger problem with address collection.

Removing spamtraps …
… just means you’ve removed the spamtraps you know about.
… may mean you have a spamtrap free list …

… until you start adding new addresses to it.

… does not fix mail going to addresses belonging to other people.
… does not guarantee good delivery.
… ignores the underlying issues.
Why do people take spamtraps so seriously?
A lot of this is historical and some of it is to avoid arguments. Just about any sender, when told they’re sending mail to someone who didn’t ask for it will respond “But we only send opt-in mail! That person is wrong! They signed up!!” I’ve had this happen to me more times than I can count.
I’ve even had clients come to me in the past where I’ve been able to dig into my own mailbox to affiliate spam. This is always a fun conversation.
spammailboxMe: Here are a dozen examples of the mail your affiliates sent to me in the last month.
Client: All our affiliates send opt-in mail. They’ve assured us of this.
Me: This is an email address only ever published on a website / not used since 2001 to sign up for anything / untagged so it’s not something I would have given them.
Client: Our vendors say you’re wrong. Would you like to hop on a call with them so they can tell you when you opted in?
The calls have happened and vendors have argued with me about whether or not I opted in to receive stuff from them. It tends to end up them claiming I opted in to mail and me telling them I did not. Sometimes they tell me I just forgot – except all my actual opt ins are tagged addresses and have been since roughly 1999, so if you’re not mailing a tagged address, I never gave it to you. Sometimes they tell me I opted in to some company they purchased back in the late 90s and therefore they had permission to send to me.
The discussions are never productive. They are so fixated on their business story, that they will duck and weave and tell me I’m wrong about the spam they are sending me.
This is why people focus on spamtraps!
With spamtraps there isn’t the discussion of whether or not someone signed up. There’s no account owner, no one who has this address and could have signed up. Even in the case of recycled traps, the addresses generally bounced for a while telling senders there was no account owner there. Focusing on spamtraps on a list deflects the back and forth argument about whether or not the sender has permission to send mail they’re sending.
But spamtraps aren’t the problem!
In fact, I was just talking to one of the Spamhaus volunteers who told me “I hate the modern day focus on traps.” I agree. We focus on traps because it deflects and diffuses a lot of the arguments about whether or not someone opted in. But that means we don’t address a lot of real issues, either. If there are spamtraps on a list, then that list has problems. Focusing on removing the traps doesn’t resolve the problems, it just focuses on the traps. That tends to lead to a cleanup strategy that doesn’t do what the sender thinks it does.
Spamtraps are the symptom!
If there are spamtraps on a list, then there are also addresses that go to a person who never opt-in on that same list. Focusing on fixing the problems that led to the spamtraps getting on the list then cleaning off addresses that aren’t performing leads to better overall delivery and fewer problems. Focusing on getting rid of spamtraps may, but may not, fix a SBL listing. Maybe. But it’s my experience that fixing a SBL listing may only resolve a small fraction of delivery problems. Getting off the SBL by trying to address spamtraps, will not fix bulk foldering or temp fails are major webmail providers.
Focusing on improving overall list hygiene and really making sure that mail is wanted and expected by the recipients generally will resolve both the SBL listing and fix the other delivery problems that are happening because of poor data and poor list hygiene.
I’ve written about spamtraps before. 

 

Related Posts

September 2015: The month in email

SeptemberCalendarSeptember’s big adventure was our trip to Stockholm, where I gave the keynote address at the APSIS Conference (Look for a wrapup post with beautiful photos of palaces soon!) and had lots of interesting conversations about all things email-related.
Now that we’re back, we’re working with clients as they prepare for the holiday mailing season. We wrote a post on why it’s so important to make sure you’ve optimized your deliverability strategy and resolved any open issues well in advance of your sends. Steve covered some similar territory in his post “Outrunning the Bear”. If you haven’t started planning, start now. If you need some help, give us a call.
In that post, we talked a bit about the increased volumes of both marketing and transactional email during the holiday season, and I did a followup post this week about how transactional email is defined — or not — both by practice and by law. I also wrote a bit about reputation and once again emphasized that sending mail people actually want is really the only strategy that can work in the long term.
While we were gone, I got a lot of spam, including a depressing amount of what I call “legitimate spam” — not just porn and pharmaceuticals, but legitimate companies with appalling address acquisition and sending strategies. I also wrote about spamtraps again (bookmark this post if you need more information on spamtraps, as I linked to several previous discussions we’ve had on the subject) and how we need to start viewing them as symptoms of larger list problems, not something that, once eradicated, means a list is healthy. I also posted about Jan Schaumann’s survey on internet operations, and how this relates to the larger discussions we’ve had on the power of systems administrators to manage mail (see Meri’s excellent post here<).
I wrote about privacy and tracking online and how it’s shifted over the past two decades. With marketers collecting and tracking more and more data, including personally-identifiable information (PII), the risks of organizational doxxing are significant. Moreso than ever before, marketers need to be aware of security issues. On the topic of security and cybercrime, Steve posted about two factor authentication, and how companies might consider providing incentives for customers to adopt this model.

Read More

Harvesting and forging email addresses

For the contact address on our website, Steve has set up a rotating set of addresses. This is to minimize the amount of spam we have to deal with coming from address harvesters. This has worked quite well. In fact it works so well I didn’t expect that publishing an email address for taking reader questions would generate a lot of spam.
Boy, was I wrong. That address has been on the website less than a month and I’m already getting lots of spam to it. Most of it is business related spam, but there’s a couple things that make me think that someone has been signing that address up to mailing lists.
One is the confirmation email I received from Yelp. I don’t actually believe Yelp harvested my address and tried to create me an email account. I was happy when I got the first mail from Yelp. It said “click here to confirm your account.” Yay! Yelp is actually using confirmations so I just have to ignore the mail and that will all go away.
At least I was happy about it, until I started getting Yelp newsletters to that address.
Yelp gets half a star for attempting to do COI, but loses half for sending newsletters to people who didn’t confirm their account.
I really didn’t believe that people would grab a clearly tagged address off the blog and subscribe it to mailing lists or networking sites. I simply didn’t believe this happened anymore. I know forge subscribing used to be common, but it does appear that someone forge signed me up for a Yelp account. Clearly there are more dumb idiots out there than I thought.
Of course, it’s not just malicious people signing the address up to lists. There are also spammers harvesting directly off the website.
I did expect that there would be some harvesting going on and that I would get spam to the address. I am very surprised at the volume and type of spam, though. I’m getting a lot of chinese language spam, a lot of “join our business organization” spam and mail claiming I subscribed to receive their offers.
Surprisingly, much of the spam to this address violates CAN SPAM in some way shape or form. And I can prove harvesting, which would net treble damages if I had the time or inclination to sue.
It’s been an interesting experience, putting an unfiltered address on the website. Unfortunately, I am at risk of losing your questions because of the amount of spam coming in. I don’t think I’ve missed any, yet, but losing real mail is always a risk when an address gets a lot of spam – whether or not the recipient runs filters.
I’m still pondering solutions, but for now the questions address will remain as it is.

Read More

Do you have an abuse@ address?

I’ve mentioned multiple times before that I really don’t like using personal contacts until and unless the published or official channels fail. I don’t hold this opinion just about resolving delivery issues, but also use official channels when reporting spam to one of my addresses or spam traps.
My usual complaints contain a plain text copy of the mail, including full headers and a short summary of the email address it was sent to. “This is an address that was part of a leak from…” or “This is an address scraped off my website. It’s been removed from the website since 2004” or “This address isn’t used to sign up for any mail.”
Sadly, there are a number of “legitimate” ESPs that don’t have or don’t monitor their abuse address. In some cases it’s an oversight or a break down of internal mail handling. But in most cases, it’s a sign that the ESP doesn’t actually handle abuse.
It’s frustrating to watch an ESP post long blog posts about “best practices” and “effective delivery” and “not spamming” and yet not be able to actually stop their own customers from spamming. It’s not even that I necessarily want them to disconnect their spamming customers (although that would be nice) but suppressing the address that I’ve told them was a spamtrap seems trivial. And yet, a month after my first complaint and weeks after escalating to a personal contact, I’m still getting spam.
The 5 things every ESP should do to handle spam complaints.

Read More