Recent Posts

Know what you're promising, and keep your promises

Although we can’t always provide a personal response to your complaint, we do investigate all reports. Please don’t interpret a lack of response as a lack of action taken. If we find that a customer is violating our policies, we will take make sure they stop the violating activity.
Read More

TWSD: Mail known spam trap addresses

One of the things we all “know” is that if spammers get their hands on spamtrap addresses then they’ll stop sending mail to those addresses. This is true for a lot of spammers, but sadly it’s not true for all.
I don’t think it’s any secret that I consult for all types of mailers, from those who just need a little tune up to those who want me to help them avoid filters and blocking. During some of these consulting projects, I use my own spam folder as research and provide information on the spam that I am receiving from them.
A few years ago I was working with a company who hires a lot of different affiliates to send acquisition email. A few of their affiliates had really poor practices and they were trying to figure out which affiliates were the problem. I handed over a number of mails from my personal spam traps, in order to help them identify the problem affiliate.
I told them, and their affiliate, what my spamtrap addresses were. And, for many years I stopped receiving that particular spam. But, over the last few weeks I’ve seen a significant uptick in spam advertising my former client.
I’m certainly not trying to convince anyone that handing over spamtraps is a good thing. But there is at least some evidence out there that they’re not even competent enough to permanently remove traps. I really have to wonder at how sloppy some marketers are, too, that they’ll hire spammers and not at least hand over a list of addresses they know are bad addresses to mail.
I really thought spammers were smarter than that. I am, apparently, wrong.
EDIT: Of course, mailing this spamtrap gets them nothing but a little ranty blog post here. It doesn’t result in blocking, or disconnection from their ISP or their ESP or anything else. I suspect if there was actually an affect, like, say, I started forwarding this mail to Spamhaus or other filtering companies, they might stop mailing this address. Anyone want a 20 year old, slightly used spam trap?

A new twist on confirmation

I got multiple copies of a request to “confirm my email address” recently. What’s interesting is the text surrounding the confirmation request.

Happy 4th of July

Judging by my inbox and the spam filter here on the blog spammers have taken the week off. We’re mostly following suit here, and I won’t be blogging the rest of the week.
To all my fellow American residents, enjoy the day off and the fireworks. Be careful if you are setting some off and live in a dry area, fires are scary.

Strangers, connections and social media

One of the major challenges of social media is letting people connect with folks they don’t know while preventing abuse. Most of the major social networks are trying.
Let’s look at LinkedIn and the tools they give users to stop abuse. Overall, they are pretty good about stopping their platform from being abused, but don’t have many processes to stop folks from harvesting connection addresses off LinkedIn and then adding those addresses to marketing lists. Does it happen frequently? No. But it does happen.
I have a pretty liberal “accept an invite” policy on LinkedIn. If people want to connect with me there and they have real profiles and they’re in a relevant space, I generally accept their invites. This means there are times when I connect with people I don’t know. I’m OK with this, LinkedIn is a great way to meet an interact with colleagues. It also means that sometimes people connect with me, take my information and add it to their marketing lists.
This morning I got an invite from Greg Williams. The name and profile looked like one I’d seen before, so I dug through my mail to see why this raised my hackles. I figured it out. Greg is president of some Tuscon area scholarship fund. A year or so ago he decided to ask all his LinkedIn connections to donate thousands of dollars to his non-profit. I decided this was not a connection I really needed on LinkedIn and removed him.
I don’t really have a connection with Mr. Williams. We didn’t go to the same schools, we don’t work in similar fields. LinkedIn tells me that we have two connections in common. I know nothing about him except that the last time I connected with him on LinkedIn he decided to take this as an invitation to spam me with money requests for his foundation. A foundation he didn’t really tell me anything other than “we give money for scholarships.”
Even more crazy is that Mr. Williams sent me an invite that says “I trust you and I’d like you to be part of my LinkedIn network.” I’m not sure who you are or who you think I am, but I don’t think you know me well enough to trust me.
I’m not against reconnecting with Mr. Williams again, but I want to be sure he understands that just because we connect on LinkedIn doesn’t mean I want to be added to his begging list. I looked for a way through LinkedIn to send Mr. Williams a response. But I can’t. My two choices are to ignore him or report spam. I think I’ll ignore him, for now.
One thing LinkedIn does to stop this problem is get feedback from users. When I click Ignore on the invite I get the opportunity to tell LinkedIn “I don’t know this person.” Hopefully, telling them I don’t know this person will stop future invites.
Social networks are a great thing and allow people to connect and create communities and interact with one another. Stopping users from abusing other members of the network is an important part of that community building framework.

Barracuda clicking all links in emails

A number of people have asked me recently if I know anything about appliances clicking all the links in emails. Some of those people have asked specifically about Barracuda, some have just asked if I knew of any filters that clicked links.
The answer is, yes, there are cases where spam filters have followed all the links in an email. One of the filters that I know has done this in the past is Barracuda. Based on discussions with the different people who are reporting this behavior, it does seem that this is happening more often. One person did mention that they were primarily seeing this with mail where the click domains were different from the From: domains.
I’m still working on getting more information from folks, and will update if I hear anything more. I’m also working on some advice for folks who get caught in this.
If you have experience with Barracuda (or other spam filters) clicking all the links in an email, drop me an email (contact)

Yahoo retiring user IDs: why you shouldn't worry

A couple weeks ago, Yahoo announced that they were retiring abandoned user IDs. This has been causing quite a bit of concern among email marketers because they’re not sure how this is going to affect email delivery. This is a valid concern, but more recent information suggests that Yahoo! isn’t actually retiring abandoned email addresses.
You have to remember, there are Yahoo! userIDs that are unconnected to email addresses. People have been able to register all sorts of Yahoo! accounts without activating an associated email account: Flickr accounts, Yahoo groups accounts, Yahoo sports accounts, Yahoo news accounts, etc,. Last week, a Yahoo spokesperson told the press that only 7% of the inactive accounts had associated email addresses.
Turning that around, 93% of the accounts currently being deactivated and returned to the user pool have never accepted an email. Those addresses will have hard bounced every time a sender tried to send mail to that address.
What about the other 7%? The other 7% will have been inactive for at least a year. That’s a year’s worth of mail that had the opportunity to hard bounce with a 550 “user unknown.”
If you’re still concerned about recycled Yahoo userIDs then take action.

Timely and appropriate mail

I woke up this morning to an exploding twitter and FB feeds with lots of friends cheering the defeat of DOMA and Prop 8. Apparently some companies are getting into the act as well.
(Behind a cut because some of this may be slightly NSFW in some places)

Spammers already abusing Vine

Spammers have already figured out how to abuse the new twitter video service (VINE) to make money. I wish I could say I was surprised, but spammers (and scammers) are some of the earliest adopters of technology out there. They adopt it and try to extract as much money as possible before the property owners can catch up and implement anti-abuse technology.
Too few companies actually build products with anti-abuse technology built in. This costs them and the victims money.

Bad unsubscribe processes

We recently renewed our support contract with VMWare. It’s a weirdly complicated system, in that we can’t buy directly from VMWare, but have to buy through one of their resellers. In this case, we purchased the original hardware from Dell, so we renewed our contract through Dell.
Dell sends my email address over to VMWare as part of the transaction.
My only role in this is as CFO. I approve the purchase and pay the bill. I don’t do anything technical with the license.
The email failures start when VMWare decides that I need to receive mail about some user group meetings they’re holding all over the US. First off, I’m not the right person to be sending this mail to inside our company. I’m the billing contact, not the user contact. Then, they send me mail about meetings all over the US, when they know exactly where I’m located. Would it be so hard to do a semi-personalized version that highlighted the meetings in my local area then pointing out the other locations? Apparently, yes, it is so hard.
The biggest failures, though are in the unsubscribe process.

The unsubscribe page is no big deal. I get to unsub from all VMWare communications, and submit that request without having to figure out what my VMWare password is or anything.
After I hit submit, I’m taken to this page.

Wait? What?
“Thank you for registering?” I didn’t register! I don’t want you to contact me. Plus, this is a HP co-branded page when I’m not a customer of HP. VMWare knows this, they know they got my address from Dell.
The biggest problem is that I’m not sure that my address was actually unsubscribed. I suspect that someone copied a form from elsewhere on the site to use as an unsubscribe form. This person forgot to change the link after the “submit” button was clicked. But what else did they forget to change? Is the unsubscribe actually registered in the database?
I suppose only time will tell if VMWare actually processed my unsubscribe. If they didn’t they’re technically in violation of CAN SPAM.
The lesson, though, is someone should check unsubscribe forms. Someone in marketing should own the unsubscribe process, and that includes confirming that unsubscribe pages work well enough.