Appending
Appending in a nutshell
A few months ago a colleague sent me, and every other person on his overly large LinkedIn list, an email looking for some help hiring. It starts off with “Greetings LinkedI Connections” and ends with… an unsubscribe link.
Read MoreFraudulent signups or spam?
This morning I got spam from a major data broker / ESP / credit reporting agency claiming I’d signed up on some college website. In the UK. To check my credit score.
Uh. No. No I didn’t.
Of course, it’s very possible someone did use my email address when signing up for something at a UK university. They probably got a t-shirt or free pizza out of it. But that doesn’t really matter to me. A certain credit agency is spamming me with irrelevant and horribly targeted advertisements for their services and claiming the mail is opt in.
I know that address is widely sold in the UK to “legitimate” marketers. It’s very possible that it was purchased by the spammer in question. Or, I dunno, maybe they’re the ones selling it. As a victim, I don’t really care why a company is spamming me.
Part of a sender’s job to make sure their data is accurate. And they failed.
But for this particular company, that’s par for the course. When I posted about this over on Facebook, I had multiple friends pointing out that this company regularly spams and sells spamming services.
Spammers gonna spam.
Target "acquires data"
It was our priority to inform as many guests as quickly as possible. Relevant emails were pulled from a variety of sources.
Read More
@AskTarget
Target acquires email addresses, exposing more customers to data breaches
As most folks now know hackers broke into Target systems last December and stole financial and other data from 110 million customers. Target has been responding to this breach reasonably well. They’ve been notifying customers that were affected and they’re providing credit monitoring for affected individuals. They seem to be totally on top of protecting their customer’s data and privacy.
Mostly.
They seem to be purchasing or otherwise acquiring email addresses from at least one major retailer in order to send out notifications about the breach to customers that never gave them email addresses. Yes, even those of us who chose not to give Target email addresses are receiving email from them.
I understand Target’s drive to contact affected users. I even appreciate that. What I don’t appreciate is that Target appears to be compromising my security in order to notify me my security was compromised. The data of mine that was compromised at Target would be credit card and possibly address information. My email address was not part of the compromise. So what does Target do? They go and acquire my email address from a third party.
Their solution to the compromise is collecting more data that is vulnerable to compromise from unrelated third parties? I’m not sure this is the most consumer friendly thing Target could do. In my case, Target sent mail to an address I’ve only given to Amazon. That means I now need to worry about my Amazon account security, on top of everything else.
Ironically, the email sent by Target tells me that I can click a link and get free credit monitoring. Then the email goes on to tell me the following:
- Never share information with anyone over the phone, email or text, even if they claim to be someone you know or do business with. Instead, ask for a call-back number.
- Delete texts immediately from numbers or names you don’t recognize.
- Be wary of emails that ask for money or send you to suspicious websites. Don’t click links within emails you don’t recognize.
Don’t click links within emails I don’t recognize? You mean like the one you just sent me? With a link to a credit monitoring website?
I appreciate the notice. I don’t appreciate is that Target went out of their way to collect more information about me than I actually gave them. I am now worried about Amazon’s security as well. How did Target get an address only provided to Amazon? I don’t appreciate that my efforts to keep my information secure (not providing email address to Target) was undermined by Target themselves.
The full text of the email, with the relevant headers (munged slightly for privacy) is under the cut, if anyone is interested.
Spamhaus changes
A number of ESPs are reporting an increase in SBL listings of big, well known brands. InterestingSBLs seems to confirm this.
Just on the month of June I see tweets reporting SBL listings for: Disney (again, and again) AAA Michigan, NRCC, the Mitt Romney campaign, Macy’s (again) Facebook, Walmart Brazil, Safeway, Bacardi.
What happened? I think there are a number of reasons for an increase in SBL listings of well known brands.
The first is that botnets are rapidly becoming a solved problem. That’s not to say that they’ve gone away, or that we should stop being vigilant about the spam and malicious mail coming out of them, but that there are more and better tools to deal with botnets than there have been in the past. That means that the folks at Spamhaus can look at different classes of unsolicited email.
I believe Spamhaus has some new mail feeds that let them see mail they were previously not seeing. Anyone who has multiple email addresses can tell you that the type of spam that one address gets is often vastly different than the type of mail another email address gets. When dealing with spamtrap feeds, that means that there is unsolicited mail that isn’t seen by the feed. I know there are companies who claim to have lists of hundreds of thousands of spamtraps, and I don’t doubt that some enterprising spammers have discovered Spamhaus spamtraps in the past. Adding new feeds means that Spamhaus will see spam that they were previously missing due to their traps being compromised.
As well as bringing up new feeds, I suspect Spamhaus has better tools to mine the data. This means they can see patterns and problem senders in a clearer way and list those that meet the Spamhaus listing criteria.
I’m not saying the Spamhaus standards have changed. Spamhaus has always said they will list anyone sending unsolicited bulk email. But, as with many organizations what they could do was limited by the available resources. That resource allocation has changed and they can deal with more senders.
What does all this mean for senders? In a perfect world it wouldn’t mean anything. Senders would actually be sending mail only to people who had asked to receive it. Senders would have good list hygiene and pull off abandoned addresses long before they could be turned into spamtraps.
But we all know this isn’t a perfect world. There are a lot of senders that have lists with years of cruft on them. And not all of those addresses on the list actually opted-in to receive that mail. Many of those senders have good stats, decent opens, low unknown user rates, and low complaint rates. But that doesn’t mean there aren’t problems with the lists. And those hidden problems may mean that just because you haven’t had a Spamhaus listing in the past doesn’t mean there isn’t going to be one in your future. It means senders who want to avoid SBL listings need to pay attention to list hygiene and dead addresses. It means the source of addresses and their audit trail is even more important than ever.
Meanwhile, ESPs are struggling to cope with the ongoing and increasing SBL listings.
EDIT: Mickey attributes some of the increase in listings to Spamhaus being better able to detect appended lists.
Leads, leads, leads!
There are a number of places that will sell business leads from data they’ve compiled, crawled or crowd-sourced. How great is that? Anyone can buy a list of targeted business information to use to further their business goals! Awesome! Great! Step right up and get your lead here!
But how accurate is that information really?
One of the bigger companies, which allows for public searches, is Zoominfo. I did some lookups recently just to see what their data is like. My conclusion? If the data they have on me is any indication of the overall accuracy of their data, companies are way better off just setting light to a pile of money in their parking lot instead of giving it to Zoominfo.
Let’s look at the data they have on me. When you go to their homepage and enter my name in, you get about 2 dozen profiles. Looking through them, there are a number that describe me.
Laura Atkins; MCRS rep. Fair enough, I do mention MCRS on a few of my webpages and was recently on their board of directors. What I can’t figure out is why they think the Minnesota Companion Rabbit Society is run out the Chesterfield County Business Development office. The MCRS is neither a business nor is it located in the state of Virginia. It’s not even located in the same time zone as Virginia. Strike 1 for Zoominfo.
Laura T. Atkins; Founding Partner. This one is the reference that is most clearly me. Zoominfo claims this information was “community contributed.” OK, so someone uploaded their address book and my name and contact info was in it. But they have my company listed as simply “Word.” Sure, Zoominfo went and scraped a bunch of info off our website, but that isn’t reflected in the actual listing. Strike 2 for Zoominfo.
Laura Atkins; Spamtacular. This one is one of my favorites. I’m listed as associated with Spamtacular. Spamtacular is a blog run by my former co-worker Mickey Chandler. Mickey’s currently working for a major ESP, but he blogs about email, spam and delivery under the Spamtacular.com domain. And, in fact, the “association” is that he lists me as part of the Spamtacular blogroll. But Zoominfo claims they have an email address and phone number for me associated with Spamtacular. According to Mickey, Zoominfo have repeatedly attempted to mail laura at spamtacular. It’s not just my email address they’ve pulled out of nether orifices, though. The Spamtacular corporate information is, if anything, more inaccurate than the MCRS data. Spamtacular is not and has never been registered anywhere near the state of California. Strike 3 for Zoominfo.
But wait! Just because they’ve struck out doesn’t mean they’re going to stop swinging or walk off the field.
Laura Atkins; Context Magazine. I did an interview with Context Magazine back in 2002, and Zoominfo claims they have a phone number for me. I suspect this is not my phone number, but, rather, is the main number for Context Magazine.
There are a couple of other, less interesting profiles for me: Spamcon Foundation, Deliverability.com. All are demonstrably me, but with no real contact information it’s not going to help anyone get in touch with me.
I have to admit, I’m actually surprised at just how totally inaccurate the data about me is. I’m not that hard to find. Zoominfo has 6 listings I can clearly identify as me. In those 6 listings:
Debating Appending
There was a session at the recent Email Insiders Summit that discussed appending. I wasn’t there, but I’ve been hearing about the session, including one description that involved the term ‘fist fight.’
I have found a couple articles about the session.
E-Append Comes Under Fire
Email Insider Summit Email Append Panel — The Day’s Hottest Debate
I encourage folks to read both articles and watch the video posted by Return Path. I agree with different points by folks on both sides of the debate. Appending can be a useful acquisition strategy for some companies. But we can’t pretend there’s any permission involved in common appending strategies.
Ignoring the lack of permission, I believe that the companies saying it is a successful strategy share some common factors.
Best Practices: your mileage may vary
YMMV. One of those abbreviations us old folks used ages ago before email had pictures and the closest we had to social networking was USENET and social gaming was in the form of MUDs. I rarely see it used any more. In a lot of ways that’s a sad thing. It was a very useful abbreviation. Using it at the end of a post full of advice was a sign that the author was providing information but knew that different situations may require different solutions. It acknowledged that what might be the best practice in one form may not be the best for another.
It’s not just the usage that seems to have declined, there seem to be a lot more people who just want to share The Answer! and not acknowledge their experience may not be universal. This seems particularly rampant in email marketing, at least to me (YMMV).
I’ve talked before about how I don’t believe there are any universal best practices for email.
Let’s be honest, the experience of a well known national retailer buying, or appending email addresses is not going to be the same as a local business doing the same thing. The national retailer acquiring email addresses and sending well targeted mail to their purchasers probably won’t cause too many delivery problems, and will generate revenue. The local pizza place probably won’t be so lucky.
A number of marketers have complained that they all too often hear “it depends” when they ask a question about email. But how well a particular email campaign perform does depend. Success depends on the audience and the offer. But more than just the specific offer, success also depends on how well known the brand is and what their real world reputation with customers is.
Customers are a lot more likely to give brands the benefit of the doubt if they like the product. That means poor practices don’t always result in poor results. It also means other companies may not have the same success with poor practices.
Your Mileage May Vary.
Costs and accounting for email
The decision by Cheetahmail to stop allowing customers to use email append caused a very long discussion on some of the marketing lists. One of the criticisms had to do with what a dumb “business decision” Cheetah was making.
I disagree. Appending, and other non-permission based sending cause a lot of costs to trickle down on the ESP. Many of the large ESPs have teams of 8 or 10 people working to manage delivery, deal with blocks and keep the mail flowing. In fact, I once had a client say “We want to be as clean as ExactTarget” only to choke when I told them how many people are on the compliance and delivery team at ET.
That’s not even looking at the cost of a SBL listing. One company estimated the cost of a slightly less than 24 hour block at over $1,000,000 in lost opportunity costs and in actual staff costs to deal with the listing. I know of one Fortune 20 company who had to re-engineer their entire customer and prospect databases due to a blocklist. And, yeah, that one was actually due to an append. They did an append and the append not only added a “new” address to a record where the person had previously opted out, but that person worked at a major spam filtering company. They experienced a whole world of very expensive pain.
Many ESPs are actually making a sound business decision by refusing to deal with non-permission mail, whether it be a purchased list or an appended list. The sender does not have permission to send to the addresses. That causes all sorts of delivery problems, which costs the ESPs lots of money and staff time to deal with. Most marketers won’t actually pay for the resources they use when appending or buying lists. Then they blame the ESP when their mail ends up in the bulk folder or is blocked outright.
I don’t think many marketers fully integrate the cost of dealing with a poor list into their decisions. My tweet from earlier today “If you have to “ignore all the costs associated with complaints” to find a positive ROI on opt-out mail, is there really a positive ROI? is a paraphrase of one of the things I heard.
ESPs can’t avoid those costs, they’re stuck with them. Lowering those costs by requiring senders to only send to recipients who have given permission is a smart business decision. Marketers don’t pay those costs, but if they even acknowledged them I suspect that there would be a whole lot less sloppy email marketing.
Cheetahmail on appending
Experian CheetahMail believes that opt-out email appending is no longer an acceptable practice, and that marketers should no longer use of this practice to acquire customer email addresses. EmailResponsibly
Read More
Links Sept 29, 2011
Al Iverson has a post up about his experiences with customers who try to acquire email addresses through appending.
J.D. Falk has a post up about the history of DKIM.
MAAWG and email appending
In today’s Magill Report Ken says:
The only surprise in the Messaging Anti-Abuse Working Group’s statement last week condemning email appending was that it didn’t publish one sooner.
Read More
However, MAAWG’s implication that email appending can’t be accomplished without spamming is nonsense.
MAAWG statement on email appending
MAAWG has published their position statement on email appending. It’s pretty explicit in it’s condemnation of the practice.
Read MoreEmail Change of Address
How many readers have ever submitted an email change of address form? How many readers even know where to go to submit an email change of address form?
And I’m not talking about going to a particular retailer and saying “change my email address” I’m talking about using one of the companies that offer email change of address as a service. Where do they get their names and email addresses? I sure don’t know.
How many readers have actually purchased an email change of address service for one of your mailing lists? Do you know where the addresses came from?
I’m wondering how many people buy email change of address services, but have zero clue how to sign up for them. I mean, I know, you can go to FreshAddress or Experian and get ECOA services. But I don’t know how to tell either of them that I want to be included in their ECOA services.
So how do consumers get to be on a change of address list? And how opt-in is their participation?
One reason I ask is that a number of my clients have stumbled into serious delivery problems recently. Investigation generally points back to the ECOA service they used. So I’m wondering how actively and knowingly consumers are using ECOA services.
Appendleads is not unusual
I called out David Williams from appendleads.com yesterday for his spam. Sure he’s a spammer, his database is full of garbage information and his email violates CAN SPAM but he’s not that unusual in the realm of list sellers. He is very typical of the people I see offering lists for sale.
List sellers are the internet version of used car salesmen. Everyone knows they are slimy sales guys who will do anything to close the sale. They don’t have a real web presence, just visit appendleads.com and see what I mean.
And yet, people still buy lists from them! I have no doubt that my spammer friend has a nice little business selling email addresses. He sends out spam, he gets a few responses, makes a tidy profit and then sends out another spam, hooks a few more people and makes more money.
OK, so not all list sellers are like appendleads. Some of them go so far to build a website. But at the core they’re the same. They are selling data that isn’t clean, it’s not opt-in, it’s not been verified.
This is why so many of us harp on not buying lists. The sales guys talk a great game, but they aren’t selling what purchasers think they’re getting. They also don’t care. They have no incentive to clean up their data. They have no incentive to accurately represent what they’re selling. All of the risk is on the person that sends the email. Once they have their money, the buyer is on their own.
Can you ever successfully purchase a list? I’m sure some senders have. But that experience is closer to winning more than a thousand dollars in the lottery than an actual good business decision.
Buying Lists
One of my email addresses at a client got spammed today offering to sell me appending services. I was going to post the email here and point out all of the problems in how he was advertising it, including violating CAN SPAM.
As I often do, I plugged his phone number into google, only to discover that my blog post from March about this spammer was the 2nd hit for that number. Well, go me.
I can report nothing has changed. He’s still violating CAN SPAM. He’s still claiming I have no right to post, share, spindle, mutilate or fold his spam. Well, in the interest in something, I thought I’d share the whole post this time. Just to warn folks from attempting to purchase services from appendleads.com (nice website, by the way).
You want to sell me a list?
Over the years, some of my clients have found it expedient to give me email addresses at their domains. These addresses forward mail addressed to laura@clientsite to my own mailbox. Generally these are so I can be added to internal mailing lists and have access to their internal tools.
It’s often amusing to see the spam that comes through to those addresses. Over the last few weeks I’ve received multiple spams advertising an email appending service.
Let the irony sink in. An email appending service is sending me an email at a client company offering the client company the opportunity to append email addresses. “See how accurate our appending is!”
How accurate can a service be if they can’t even target their own spam correctly?
In addition to the appalling targeting they’re also violating CAN SPAM (no physical postal address), their website is a collection of broken links and they don’t provide any company name or information in the email or on the website.
To top it all off, the mail says, “if you’re not the right person to act on this mail, please forward this to the right person.” Followed by a standard legal disclaimer that says, “The information contained in this e-mail message and any attachments is confidential information intended only for the use of individuals or entities named above. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail at the originating address.”
I wonder if blogging about the utter email incompetence about mail from David Williams, Business Development (phone number: 800-961-5127) violates the confidentiality clause?
TWSD: Run, hide and obfuscate
Spammers and spamming companies have elevated obfuscating their corporate identities to an artform. Some of the more dedicated, but just this side of legal, spammers set up 3 or 4 different front companies: one to sell advertising, one or more to actually send mail, one to get connectivity and one as a backup for when the first three fail. Because they use rotating domain names and IP addresses all hidden behind fake names or “privacy protection services”, the actual spammer can be impossible to track without court documents.
One example of this is Ken Magill’s ongoing series of reports about EmailAppenders.
Aug 5, 2008 Ouch: A List-Purchase Nighmare
Sept 9, 2008 Umm… About EmailAppenders’ NYC Office
Sept 15, 2008 E-mail Appending Plot Thickens
Nov 11, 2008 EmailAppenders Hawking Bogus List, Claims Publisher
Dec 23, 2008 Internet Retailer Sues EmailAppenders
Feb 1, 2009 EmailAppenders Update
Mar 10, 2009 Another Bogus E-mail List Claimed
April 14, 2009 EmailAppenders a Court No-Show, Says Internet Retailer
April 21, 2009 EmailAppenders Gone? New Firm Surfaces
May 5, 2009 EmailAppenders Back with New Web Site, New Name
Their actions, chronicled in his posts, are exactly what I see list providers, list brokers and “affiliate marketers” do every day. They hide, they lie, they cheat and they obfuscate. When someone finally decides to sue, they dissolve one company and start another. Every new article demonstrates what spammers do in order to stay one step ahead of their victims.
While Ken has chronicled one example of this, there are dozens of similar scammers. Many of them don’t have a persistent reporter documenting all the company changes, so normal due diligence searches fail to turn up any of the truth. Companies looking for affiliates or list sources often fall victim to scammers and spammers, and suffer delivery and reputation problems as a result.
Companies that insist on using list sellers, lead generation companies and affilates must protect themselves from these sorts of scammers. Due diligence can be a challenge, because of the many names, domains and businesses these companies hide behind. Those tasked with investigating affiliates, address sources or or mailing partners can use some of the same investigative techniques Ken did to identify potential problems.