BLOG

Large companies (un?)knowingly hire spammers

This morning, CSO and MacKeeper published joint articles on a massive data leak from a marketing company. This company, River City Media (RCM), failed to put a password on their online backups sometime. This leaked all of the company’s data out to the Internet at large. MacKeeper Security Researcher, Chris Vickery discovered the breach back in December and shared the information with Spamhaus and CSO online.

The group has spent months going through the data from this spammer. As of this morning, the existence of the breach and an overview of the extent of their operation were revealed by CSO and MacKeeper. Additionally, Spamhaus listed the network on the Register of Known Spamming Operations (ROKSO).

There are a couple interesting pieces of this story relevant to legitimate marketers.

The biggest issue is the number of brands who are paying spammers to send mail from them. The CSO article lists just some of the brands that were buying mail services from RCM:

[…] Nike, LifeLock, Liberty Mutual, Fidelity, MetLife, Victoria’s Secret, Kitchen Aide, Yankee Candle, Bath & Body Works, Gillette, Match.com, Dollar Shave Club, Dewalt, DirecTV, Covergirl, Clinique, Maybelline, Terminix, and AT&T.

This shouldn’t be a surprise to anyone who has been paying attention to the industry. We described this many years ago in a series of articles about mainstream spam. (Note: the organization in the article has cleaned up their act and no longer uses affiliates).

Addresses were collected through many ways, including the use of co-reg. Chris Vickery explains:

Well-informed individuals did not choose to sign up for bulk advertisements over a billion times. The most likely scenario is a combination of techniques. One is called co-registration. That’s when you click on the “Submit” or “I agree” box next to all the small text on a website. Without knowing it, you have potentially agreed your personal details can be shared with affiliates of the site.

You are never told who the affiliates are and groups like River City Media capitalize on that aspect. One line of the leaked chat logs explains it all very succinctly:

“The key is sincerity.  Once you can fake that…”

Legitimate companies do buy co-reg data, still. The problem is that there’s no real permission associated with the address. In the absolute best case scenario, permission is taken by the co-reg provider rather than given by the recipient. All too many co-reg vendors go out of their way to hide the fact that they will sell the addresses in their privacy policies. This isn’t transparent. This isn’t real permission.

One argument I’ve heard over and over about laws, particularly CASL, is that it’s targeting the wrong companies. As the argument goes, the real problem with spam is spammers, not legitimate companies. But CASL and other laws target legitimate companies. I never really bought into that argument as it’s clear to me a lot of the money supporting spammers comes from the legitimate companies spending real marketing funds.

Legitimate companies are paying third parties to send spam on their behalf and are profiting. For a long time brands have pretended they’re not responsible for the mail. This recent breach shows that they are paying spammers to send mail on their behalf.

Looks like maybe the laws are targeting the right companies.

Comment:

Your email address will not be published. Required fields are marked *

  • Indictments in Yahoo data breach

    Today the US government unsealed an indictment against 2 Russian agents and 2 hackers for breaking into Yahoo's servers and stealing personal information. The information gathered during the hack was used to target government officials, security employees and private individuals. Email is so central to our online identity. Compromise an email account and you can get access to social media, and other accounts. Email is the key to the kingdom.No Comments


  • Blogging

    It's been a wild week here in the US. I have to admit, the current political climate is affecting my ability to blog about email. I've always said email is not life or death. And how can I focus on the minutia of deliverability when things are in such turmoil and uncertainty? There are many things I want to write about, including some resources for those of us who are struggling with the current administration and changes in the US. What we can do. What we must do.  It just takes work and focus I don't have right now.    1 Comment


  • Email trends for 2017

    Freshmail has published a list of email marketing trends for 2017 from some of their favorite experts. I am honored to be included. Go check it out!No Comments


Archives