Industry News & Analysis

Spam isn’t going away

I got a piece of B2B spam last week that showed in several different ways why spam isn’t going away any time soon.

Systemic problems dealing with abuse at scale at Google. Ethics problems at Cloudflare. Problems dealing with abuse at scale at Amazon. Cultural problems in India, several times over.

Buckle up.

The spam content

The spam email itself looks pretty much like any business email. Slightly excessive use of bold, but more restrained than much of the legitimate email I get, both 1:1 and bulk. It’s trying to sell me inexpensive, outsourced software development.

Even the signature at the bottom is fairly restrained compared to many:

Other than my knowing that this isn’t email I asked for, and that it went to an email address I wouldn’t have given out, I can’t tell from the content that it’s not legitimate. Nor can the spam filter in my mail client, nor can spamassassin (“X-Spam-Status: No, score=-2.689“). It’s delivered right to my inbox.

New York? Probably not.

“Lisa Ross” and a New York area code. But “Private Ltd.” is not a US style company name. Let’s see who they really are.

Meet OnGraph Technologies of Noida, Uttar Pradesh, India.

I’m not suggesting that Lisa Ross and her New York phone number are entirely fake, but I can’t find any independent sign of her existence via, e.g., LinkedIn and the New York business address they provide is a shared office building mostly used by medical offices, and suite 304 seems to have at least five different businesses being operated out of it, judging from Google search. It’s either a single US salesweasel or a mail drop and a VoIP number.

So they’re an Indian company, about which more later. Let’s look at who is providing them service.


The spam is being sent from, presumably Google Apps. It’s squeaky clean technically, passes SPF, has valid DKIM and it’s even DMARC aligned, coming in from a Google ipv6 address that as far as I can tell has a decent sending reputation (SenderScore has never heard of it, but SenderBase thinks it has a good reputation).

It’s Google. There’s probably quite a lot of wanted email coming from there, so there’s no risk of it being blocked by recipients.

And this isn’t an actual user sending mail through Google. It’s a third-party app designed for spammers that connects to Google to parasitically take advantage of Google’s delivery infrastructure and reputation to send spam with little risk of it being blocked or filtered.

As I understand Google’s policy on people doing this it’s, pretty much, that it’s OK to use Google apps this way and that the level of complaints due to this is low enough that it’s not something they tend to take any action on. And, at the scale they’re working at, I don’t blame them. They’re not making much profit margin on each Gmail account and only a little more on Google Apps – spending enough to mitigate outbound abuse more effectively than they currently do at scale would eat into their $26B profit.

A third-party app for spamming, you say?


SalesHandy provide a web app designed for spamming. They’re based out of Gujerat, India (of which more later). Their web infrastructure is all hosted by CloudFlare (of which more later), and their domain is registered through GoDaddy (of which, yes, more later).

They sell a bunch of services, including spamming via Gmail or Google Apps, link and open tracking for that spam, and a variety of address acquisition methods.

Their preferred acquisition method for high quality, targeted addresses is to buy their chrome extension, (hosted at Amazon EC2), subscribe to their service and harvest them from LinkedIn:

By entering the job title in the search bar and choosing the “People” tab. You can find up to 10 email addresses on a page. And keep moving to the next page. Within a matter of minutes, you can collect hundreds of email addresses.

Alternatively, for spammers who want bigger lists, they suggest using their software’s “find emails in bulk” option:

Make a list of prospects with their first name, last name and company domain.

Upload this list to Find That Email’s bulk find feature

Find email addresses

You might be thinking, how long will it take to find 5000 names and company domains. A solid trick is to get the help of a Filipino virtual assistant, who you can pay $2/hr to collect names.

SalesHandy sure aren’t going to take any action to stop spam being sent – that’s their business.


They’re the spammers. They don’t care.

Their inbound email is all handled by Google. Their web infrastructure is hosted by both Amazon and CloudFlare.

Amazon EC2

Amazon do more than selling you so many things online that the limiting factor is how fast you can recycle their cardboard boxes.

They also offer a very solidly engineered cloud hosting environment, EC2. It’s huge. Half the companies you can think of are hosted there, including most of Netflix’s infrastructure. They let you spin up virtual machines, use them, then destroy them and charge you just for the minutes you use them.

All of which is great, but also very ripe for abuse. When EC2 first started it was a horrible source of spam, but by 2009 or so almost everybody was just blocking all email coming from EC2 network space – this is the main thing that triggered the business of ESPs with APIs aimed at web developers such as sendgrid. Eventually Amazon throttled down to almost nothing outbound email from EC2, and set up their own ESP – Amazon SES – to siphon off some of the profits from providing EC2 users with a channel to send email.

That fixed the problem of spam being literally sent from EC2 quite effectively. But it’s still a pretty safe place to host abuse related websites. They do have an email address that accepts reports of abuse, which is handled by a bot that checks to see if you mention a valid EC2 IP address and sends a friendly reply if you do. But I’ve reported “bad” websites on their network and they’ve still been there, at the same IP address, when I’ve checked weeks later. I suspect that as long as the content itself isn’t illegal there’d need to be quite a high volume of complaints to provoke action. Again, it would be expensive to mitigate abuse at this scale, eating into their $180B profits. And as the vast majority of sites hosted are at worst harmless no third party is going to filter them en-masse – that’d just be silly.

So no help there.


CloudFlare host websites, so as to hide the people who operate them and protect them from being taken down. If you ask them about that, they’ll agree with most of it, but tell you at tedious length that they don’t host websites, they just provide the public IP address and TLS certificates for websites and proxy the traffic to the real webserver elsewhere.

Whatever. They’re the only people who can effectively take down a website that they’re hosting proxying. And, as a matter of policy and deep personal belief, they don’t. They do, however, dox anyone who reports abuse to them to the abusive websites. That applies to Nazis, White Supremacists and some of the nastiest hate sites on the Internet. They’re certainly not going to care about B2B spammers or spamware vendors.

Definitely no help there.


I’m picking on GoDaddy because they’re ahead of the curve on hiding or falsifying data about domain ownership, but most domain registrars are comparable.

If anything, GoDaddy used to be a riskier place to register a domain that was going to be used abusively than most registrars as their abuse enforcement was inconsistent – sometimes serious issues were ignored, other times a domain would be yanked for no particularly obvious reason. They’ve gotten more in line with other registrars recently, though, and while I’m sure they’re responsive to subpoenas and law enforcement requests abuse reports are mostly ignored. (I just spot-checked and an abusive domain I told them about in mid-December is still up and spamming. I never got a response from GoDaddy).

Currently whois results from GoDaddy look, at best, like this:

Registrant Name: ******** ******** (see Notes section below on how to view unmasked data)
Registrant Organization: Ikigai Infotech LLP
Registrant Street: 810 Shree Balaji Heights
Registrant Street: Nr. Tanisq showroom
Registrant City: Ahmedabad
Registrant State/Province: Gujarat
Registrant Postal Code: 380009
Registrant Country: IN
Registrant Phone: +**.**********
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: ********@*****.***
Registry Admin ID: Not Available From Registry

WHOIS consumers who are now receiving masked data can visit: to look up the unmasked data. You can also
get whitelisted, to get unmasked data via Port 43. Find instructions
on how to apply for whitelisting here:

(They have fixed the whois lookup URL, but the whitelisting URL is still broken).

The registrar issue is going to get worse as, driven partly by European adoption of GDPR, registrars are likely to be hiding all information about the identity of a domain owner from everyone but law enforcement and maybe some security companies.

So no help there.


Why mention the country that both the spammer and the company they use to send spam through are based in?

Because a lot of spam, B2B spam in particular, comes from India. And none of the providers there seem to care.

It appears to be a cultural problem from the top of the country down.

I regularly get spam from Narendra Modi, the Prime Minister of India, or at least spam sent on his behalf by the Indian Prime Minister’s Office. It’s sent to a variety of email addresses, harvested from various places (and one that was stolen from a US government database).

Which entity actually sends the spam from the Prime Minister? – the department of the Indian Government responsible for most of their internet backbone, messaging and IT.

No help there either.


There will be increasing volumes of B2B spam being sent for the foreseeable future, and there doesn’t seem to be much we can do to change that.

If your career involves filtering inbound spam – consumer, smb or enterprise – it seems your skills will be in demand for a long while yet.

No Comments

Yahoo fixed

The Yahoo bounce problem has been resolved. There were erroneous ‘554: this user does not have a account’ between March 14 and March 16. If you attempted to send mail and received this bounce during that time you can reactivate the address in your database. Most ESPs should be able to help you with this.

Moving forward, though, these bounces are valid and addresses should be removed from your list according to standard data hygiene processes.

No Comments

The data are what they are

I’ve had a lot less opportunity to blog at the recent M3AAWG conference than I expected. Some of it because of the great content and conversations. Another piece has to do with lack of time and focus to edit and refine a longer post prompted by the conference. The final issue is the confidential nature of what we talk about.

With that being said, I can talk about a discussion I had with different folks over the looking at A/B testing blog post from Mailchimp. The whole post is worth a quick read, but the short version is when you’re doing A/B testing, design the test so you’re testing the relevant outcomes. If you are looking for the best whatever to get engagement, then your outcome should be engagement. If you’re looking for the best thing to improve revenue, then test for revenue.

Of course, this makes perfect sense. If you do a test, the test should measure the outcome you want. Using a test that looks at engagement and hoping that translates to revenue is no better than just picking one option at random.

That particular blog post garnered a round of discussion in another forum where folks disagreed with the data. To listen to the posters, the data had to be wrong because it doesn’t conform to “common wisdom.” The fact that data doesn’t conform to common wisdom doesn’t make that data wrong. The data is the data. It may not answer the question the researcher thought they were asking. It may not conform to common wisdom. But barring fraud or massive collection error, the data are always that. I give Mailchimp the benefit of the doubt when it comes to how they collect data as I know they have a number of data scientists on staff. I’ve also talked with various employees about digging into their data.

At the same time the online discussion of the Mailchimp data was happening, there was a similar discussion happening at the conference. A group of researchers got together to ask a question. They did their literature review, they stated their hypothesis, they designed the tests, they ran the tests. Unfortunately, despite this all being done well, the data showed that their test condition had no effect. The data were negative. They asked the question a different way, still negative. They asked a third way and still saw no difference between the controls and the test.

They presented this data at the conference. Well, this data went against common wisdom, too, and many of the session participants challenged the data. Not because it was collected badly, it wasn’t, but because they wanted it to say something else. It was the conference session equivalent of data dredging or p-hacking.


Overall, the data collected in any test from a simple marketing A/B testing through to a phase III clinical trial, is the answer to the question you asked. But just having the data doesn’t always make the next step clear. Sometimes the question you asked isn’t what you tested. This doesn’t mean you can retroactively find signal in the noise.

Mailchimp’s research shows that A/B testing for open rates doesn’t have any affect on revenue. If your final goal is to know which copy or subject line makes more revenue, then you need to test for revenue. No amount of arguing is going to change that data.



No Comments

UPDATE: Spike in Yahoo unknown users

I still don’t have any solid information on the cause of the Yahoo bounces. I do know that folks inside Yahoo are looking into the issue.

However, multiple people (including my clients) are reporting that the addresses that are bouncing have very recent click and open activity. Other reports say these addresses deliver on a resend.

It looks like my advice yesterday was incorrect. I’m currently telling clients to continue mailing addresses for the time being.


1 Comment

Possible spike in Yahoo unknown users

Multiple folks are mentioning seeing an increase in “user unknown” responses from Yahoo. Some people are discussing this with Yahoo.

Right now, best advice is to believe these are accurate user unknowns. UPDATE: There is increasing evidence these are not valid user unknowns. See next post.

No Comments

Speaking in June

ActiveCampaign is hosting their very first user conference in Chicago in June. I am honored to be a part of their speaker lineup.

Early bird registration only $450 through April 30.

No Comments

Happy International Women’s Day

It’s International Women’s Day, and I thought I’d take a moment to mention some of the many, many women who have inspired me and helped me along the way. Some of them work in deliverability and compliance. Others are business colleagues. Still others are cheerleaders and inspiration. All of them make the world a better place.

  • Jen
  • April
  • Kristin
  • Kelly
  • Judith
  • Mary
  • Heather
  • Skyler
  • Kate
  • Rachel
  • Karen
  • Sue
  • Autumn
  • Lili
  • Mary (the other one)
  • Sara
  • Asya
  • Christine
  • Heather (the other one)
  • Anna
  • Melinda
  • April (the other one)
  • Laura (the one that’s not me)
  • Catherine
  • Tara
  • Jamie
  • Tifaine
  • Hope
  • Anna (the other one)
  • Josie
  • Alice
  • Kate (the other one)
  • Lisa
  • Kiersti
  • Laura (the other one that’s not me nor the other one )
  • Denise
  • Stephanie
  • Michelle
  • Liza
  • Justine
  • Rachel (the other one)
  • Jenifer
  • Jen (the other one)
  • Murph
  • Courtney
  • Sue (the other one)
  • Elizabeth

A giant shout out and thank you to all these women. Many of them spend their days making the Internet a safer place. That means they see some of the grottier corners that none of us want to experience.

You are all amazing and awesome and I am better for having known you.

My contribution for today is to recognize some of the amazing women I know and work with. What are doing for International Women’s Day?



1 Comment

What does good IP Reputation get you?

Today I was discussing some mailing list posts with an ESP colleague. He was telling me some interesting numbers he’d collected from different IP pools they maintain. He was testing routing mail through IPs based on subscription process and routing based on engagement metrics. The data showed that inboxing rates were similar across the test groups. As he put it, “IP reputation didn’t have much impact on inbox delivery.”

I’m not surprised. I’ve been talking for a while about how IP reputation is less important in reaching the inbox. In fact, it was almost 5 years ago now that I wrote The Death of IP Based Reputation. I updated it in 2015 with Deliverability and IP Reputation. Overall, IP reputation is a much smaller piece of reaching the inbox now than it has been in the past. I’ve talked about the reasons for this in the above posts. The short version is:

  • IP reputation is a crude hammer;
  • IPv4 addresses are in very limited supply, in network terms more customers / IP is a good thing;
  • Spammers use botnets, sending large amounts of email across many IPs;
  • IPv6 is huge and IP based blocking will be challenging and of limited effectiveness; and
  • Better computing power makes content scanning more feasible.

IP Reputation Still Matters, a little

This doesn’t mean senders can, or should ignore IP reputation. Even Gmail looks at IP reputation a little bit.  The place IP reputation is primarily used during the SMTP transaction. Good IP reputation does lead to less rate limiting. Senders with good IP reputation can send more mail faster than senders with poor reputation. But once the SMTP transaction is over, IP reputation is just a small factor in a large pool of variables.

IP Reputation Still Matters, a little more.

There are some places that heavily rely on IP filters. And some places that rely on certain types of IP filters. Most of the major providers will block mail from home users, dynamic IPs, and infected machines. Additionally, there is and will probably always be a long tail of domains that are still relying on IP based filters. It’s a crude hammer, but it’s an effective one. Typically, though, IP reputation in those cases is in the eye of the root user. The good news is, these are often private networks, and users have the option to use less restrictive free providers if they’re not getting the email they want.


No Comments

And… we’re back

There was an unexpected break in blogging over the last 2 weeks. Between M3AAWG, a week of house guests and some upcoming big changes I didn’t get much writing finished. I started, and am still working on, about half a dozen different posts.

Thanks for your patience, we’ll get back to our regularly scheduled writing soon.



No Comments

2017 Deliverability Benchmark report

Return Path has released their 2017 Deliverability Benchmark Report. I haven’t had a chance to look at it, but did download it earlier today.

EContent has a summary of the article up, with the headline Research Finds Email Senders with Strong Subscriber Engagement Are Likely to See Less Email Delivered to SpamUseful data points they pulled out include:

  • The increase in spam placement is somewhat offset by the fact that consumers were more likely than ever to “rescue” wanted mail from the spam folder, as demonstrated by the significant year over year increase in the “this is not spam” rate (1.77% in 2017 versus 1.04% in 2016).
  • Subscribers read email at a slightly lower rate than last year (21.5% in 2017, 22.2% in 2016), but mail that is ignored (or “deleted before reading”) was also slightly less common than a year ago (11.9% in 2017, 12.5% in 2016).


No Comments