Spam

The Economics of Cold Outreach

It’s time we talk about cold outreach mail. In the last 2 years the volume and aggressiveness of cold outreach mail seems to have exploded. There are dozens of companies out there who are selling services to companies to facilitate cold outreach. My own sales mailbox is full of requests from companies to help them solve their delivery problems.

Looking back, looking forward

Six years ago today I wrote here “Spam isn’t going away“, talking about systemic problems at Google, Cloudflare and Amazon and in India.

A cartoon by twisteddoodles. An email says "you've got mail" and a human responds "what is it".
<p>The email replies "a Black Friday sale" and the human asks "who?"</p></p>
<a class=

Is email dead?

These last few years have been something, huh? Something had to give and, in my case, that something was blogging. There were a number of reasons I stopped writing here, many of them personal, some of them more global. I will admit, I was (and still am a little) burned out as it seemed I was saying and writing the same things I’d been saying and writing for more than a decade. Taking time off has helped a little bit, as much to focus on what I really want to talk about.

Confidential to ESPs

Dear Colleagues at ESPs,

We have a problem. More specifically, YOU have a problem. You have a spam problem. One that you’re not taking care of in any way, shape or form.

Misinformation on filters

I’ve seen reports that someone is asserting that utm=COVID19 in URLs results in all mail going to bulk at multiple ISPs. This is the type of thing that someone says is true and dozens of folks believe it and thus a “deliverability phact” is born. For a plethora of reasons, this doesn’t pass the sniff test. Don’t believe everything you read on the internet.

Advice on coronavirus emails

Gartner has some really good recommendations for companies considering mailing about the coronavirus pandemic.

Bad marketing automation, part deux

Back in April I wrote about some poor marketing automation that ended up spamming me with ‘cart abandonment’ emails when the issue was the company’s credit card processing went down. That post has now been scraped by the spammers Moosend and they keep sending me… poorly targeted automated spam.

the word spam with a checkmark next to it.

Saw a new disclaimer on mail sent to an address harvested off our website today:

Opting out of “service” messages

A frequent question in a number of deliverability spaces is how to tell if a message is transactional or marketing. In most cases the decision is related to whether or not to respect an unsubscribe request. All too often companies decide that their messages are too important to allow someone to opt-out of. The problem is, in some cases, there is no longer a customer relationship to send notices about.

Spam is never timely nor relevant

One of the ongoing recommendations to improve deliverability is to send email that is timely and relevant to the recipient. The idea being that if you send mail a recipient wants, they’re more likely to interact with it in a way that signals to the mailbox provider that the message is wanted. The baseline for that, at least whenever I’ve talked about timely and relevant, is that the recipient asked for mail from you in the first place.

Spamming for deliverability

This morning I woke up to a job offer. I hear a number of other email deliverability folks received the same job offer.

ESPs are failing recipients

Over the last few years I’ve reduced the complaints I send to ESPs about their customers to almost nothing. The only companies I send complaints to are ones where I actually know folks inside the compliance desk, and I almost never expect action, I just send them as professional courtesy.

Explicit consent

I’m working on a blog post about correlation and causation and how cleaning a list doesn’t make it opt-in and permission isn’t actually as outdated as many think and is still important when it comes to delivery. Today is a hard-to-word day, so I headed over to twitter. Only to find someone in my personal network re-tweeted this:

It’s not marketing, it’s spam

There are times when I hesitate to call what marketers do “spam.” I can use the euphemisms with the best of ’em. “Cold emails” “Targeted Marketing” “B2B marketing.”

Gmail, machine learning, filters

I’m sure by now readers have seen the article from Gmail “Spam does not bring us joy — ridding Gmail of 100 million more spam messages with TensorFlow.” If you haven’t seen it, go read it. It’s not often companies write about their filtering philosophy and what tools they’re using to manage incoming bad mail.

One subscription should equal one unsubscription

One of the side effects of using tagged addresses to sign up for things is seeing exactly what companies do with your data once they get it.

Filters working as intended

One of the toughest deliverability problems to deal with is when mail is blocked or going to spam because the filters are working as intended. Often the underlying issue is a lack of permission.

B2B mail and compliance failures

This morning I got an email to a tagged address. The tag matched the company so it’s very likely I did actually sign up. Digging back through my mailbox, I see one previous email to that account – back in 2008.

Yeah… don’t do that

Never add someone to a mailing list without giving them a heads up that you’re doing it. It’s just uncool and rude. For example, I have been contacting some vendors about some work we need done. One of them has yet to answer my inquiry, but has already added me to their newsletter. Even worse, I had no idea submitting a form asking about their services would get me on their mailing list.

How much is too much?

Anecdotally I’m hearing a few different things about recent mail sends.

Transactional mail can be spam

Marketers have a thing about transactional mail. In the US, transactional mail is exempt from many of the CAN SPAM regulations. If they label a mail transactional, then they can send it even when the recipient has opted-out! The smart marketer looks for opportunities to send transactional mail so they can ~~bother~~ spam get their brand in front of people who’ve opted out.

Fun with spam filters

I recently had a challenging travel experience in the Netherlands, trying to get from Schipol airport to a conference I was speaking at. As part of my attempt to get out of the airport, I installed UBER on my phone. There were some challenges with getting UBER to authorise my phone number, so I tried linking it to my Gmail account.

Zoho, phishing and who’s next?

ZDnet reports that Zoho’s problems with phishing aren’t over. Their report states that Zoho is being used as a pipeline to exfiltrate data from phished accounts.

Why is my cold email going to the spam folder?

Because that’s what the spam folder is for unsolicited email.

Want some history?

I was doing some research today for an article I’m working on. The research led me to a San Francisco Law Review article from 2001 written by David E. Sorkin. Technical and Legal Approaches to Unsolicited Electronic Mail (.pdf link). The text itself is a little outdated, although not as much as I expected. There’s quite a good discussion of various ways to control spam, most of which are still true and even relevant.

From a historical perspective, the footnotes are the real meat of the document. Professor Sorkin discusses many different cases that together establish the rights of ISPs to filter mail, some of which I wasn’t aware of. He also includes links to then-current news articles about filtering and spam. He also mentions different websites and articles written by colleagues and friends from ‘back in the day’ discussing spam on a more theoretical level.
CNET articles on spam and filtering was heavily referenced by Professor Sorkin. One describes the first Yahoo spam folder. Some things never change, such as Yahoo representatives refusing to discuss how their system works. There were other articles discussing Hotmail deploying the MAPS RBL (now a part of Trend Micro) and then adding additional filters into the mix a few weeks later.
We were all a little naive back then. We thought the volumes of email and spam were out of control. One article investigated the effectiveness of filters at Yahoo and Hotmail, and quoted a user who said the filters were working well.

Data never dies

How to hire an affiliate

Yesterday I talked about all the reasons that using affiliate email can hurt overall delivery. In some cases, though, marketing departments and the savvy email marketer don’t have a choice in the matter. Someone in management makes a decision and employees are expected to implement it.
If you’re stuck in a place where you have to hire an affiliate, how can you protect the opt-in marketing program you’ve so painstakingly built? Nothing is foolproof, but there are some ways you can screen affiliates.

Affiliate marketing overview

Most retailers have realized that sending unsolicited email is bad for their overall deliverability. Still, the idea they can send mail to people who never heard of them is seductive.
Enter affiliate email. That magical place where companies hire an agency, or a contractor, or some other third party to send email advertising their new product. Their mail and company reputation is protected because they aren’t sending the messages. Even better, affiliates assure their customers that the mail is opt-in. I’m sure some of them even believe it.
The reality is a little different from what affiliates and their customers want to believe.

Spam isn't going away

I got a piece of B2B spam last week that showed in several different ways why spam isn’t going away any time soon.
Systemic problems dealing with abuse at scale at Google. Ethics problems at Cloudflare. Problems dealing with abuse at scale at Amazon. Cultural problems in India, several times over.
Buckle up.

Did the algorithm change?

When faced with unexplained deliverability changes one of the first questions many folks ask is “Did the algorithm change.” In many ways this is an meaningless question. Why? Because there are two obvious answers to the question.
A1: Of course it didn’t.
A2: Of course it did.
Both answers are correct, but they’re answering different underlying questions. When we understand how two diametrically opposed answers are both correct, we understand much more about filtering.

GDPR and Whois data

For folks who aren’t following the discussion about whois records and GDPR compliance there’s a decent summary at vice.com: What Is Going to Happen With Whois?

Social media connections are not opt-ins

It seems silly to have to say this, but connecting on social media is not permission to add an address to your newsletter or mailing list or prospecting list or spam list. Back in 2016, I wrote:

Not fooling anyone…

A question came up on the Women of Email Facebook page about sending cold B2B emails. This is one of those areas I have strong opinions about, mostly because I am so tired of getting deceptive and unending messages from folks.
Realistically, cold emailing isn’t going to stop just because recipients hate receiving it. We haven’t wiped out spam in 20+ years, we’re not going to manage it for this one tiny piece. But I do think there are things senders can do to minimize the amount of frustration their spam creates.

Permission and B2B spam

Two of the very first posts I wrote on the blog were about permission (part 1, part 2). Re-reading those posts is interesting. Experience has taught me that recipients are much more forgiving of implicit opt-in than that post implies.
The chance in recipient expectations doesn’t mean, however, that permission isn’t important or required. In fact, The Verge reported on a chatbot that will waste the time of spammers. Users who are fed up with spam can forward their message to Re:Scam and bots will answer the mail.
I cannot tell you how tempted I am to forward all those “Hey, just give me 10 minutes of your time…” emails I get from B2B spammers. I know, those are actually bots, but there is lovely symmetry in bots bothering one another and leaving us humans out of it.

Speaking of those annoying emails, I tweeted about one (with horrible English…) last week. I tagged the company in question and they asked for an example. After I sent it, they did nothing, and I continued to get mail. Because of course I did.
These types of messages are exactly why permission is so critical for controlling spam. Way more companies can buy my email address and add me to their spam automation software than I can opt-out of in any reasonable time frame. My inbox, particularly my business inbox, is where I do business. It’s where I talk with clients, potential clients, customers and, yes, even vendors. But every unsolicited email wastes my time.
It’s not even that the mail is simply unwanted. I get mail I don’t want regularly. Collecting white papers for my library, RSVPing to events, joining webinars all result in me getting added to companies’ mailing lists. That’s fair, I gave them an email address I’ll unsubscribe.
The B2B companies who buy my address are different. They’re spamming and they understand that. The vendors who sell the automation filters tell their customers how to avoid spam filters. Spammers are told to use different domains for the unsolicited mail and their opt-in mail to avoid blocking. The software plugs into Google and G Suite account because very few companies will block Google IPs.
I’ve had many of these companies attempt to pay me to fix their delivery problems. But, in this case there’s nothing to fix. Yes, your mail is being blocked. No, I can’t help. There is nothing I can say to a filtering company or ISP or company to make them list that block. The mail is unwanted and it’s unsolicited.
The way to get mail unblocked is to demonstrate the mail is wanted. If you can’t do that, well, the filters are working as intended.

The Blighty Flag

Back in the dark ages (the late ’90s) most people used dialup to connect to the internet. Those people who had broadband could run all sorts of services off them, including websites and mail servers and such. We had a cable modem for a while handling mail for blighty.com.
At that time blighty.com had an actual website. This site hosted some of the very first online tools for fighting abuse and tracking spam. At the same time, both of us were fairly active on USENET and in other anti-spam fora. This meant there were more than a few spammers who went out of their way to make our lives difficult. Sometimes by filing false complaints, other times by actually causing problems through the website.
At one point, they managed to get a complaint to our cable provider and we were shut off. Steve contacted their postmaster, someone we knew and who knew us, who realized the complaint was bogus and got us turned back on. Postmaster also said he was flagging our account with “the blighty flag” that meant he had to review the account before it would be turned off in the future.
I keep imagining the blighty flag looking like this in somebody’s database.

That is to say, sometimes folks disable accounts they really shouldn’t be disabling. Say, for instance:

This was an accident by a twitter employee, according to a post by @TwitterGov

Spam-infused Mai-Tai

Happy Labor Day! Celebrate it with the perfect email-themed cocktail – a spam-infused Mai Tai, served in the traditional glass.
A speciality of the Duck Inn in Chicago, it’s made from a fat-washed dark rum:

Conversations with spammers

It’s amazing how many spammers try and fool deliverability into accepting a questionable list. All too often they fall back on a story. The basic points: a company you’ve never heard of collected millions of email addresses on a website hosted on a low end VPS.

I’ve never heard of your company. We’re just that much better at marketing. This list is guaranteed 100% opt in. Subscribers are desperate to hear from us. The mail is vital and important. We had some problems at our last ESP, but that’s just because they don’t understand our business model. And we had a brief problem with complaints. But they weren’t real complaints. Our competitors are signing up for the list and complaining to hurt out business. It’s not a list problem, it’s that we’re so dominant they have to subvert us. That’s just because we’re that much better at their jobs than anyone else.
You’re looking for deliverability help. Well, yeah, sometimes Gmail delivery is bad, but that’s simply because we won’t pay Google money for advertising. Google is so afraid of us they deliberately filter all this spectacularly wanted email into the bulk folder. They have problems with us as a business. Oh, and we might, sometimes, occasionally have a minor problem with Yahoo. But, again, it’s because we threaten them and they don’t want to have to compete on a level playing field.
If they’re a potential customer, I tell them about our services and offer a proposal. Once some company I’ve never heard of tells me their bad delivery is because global companies are afraid of them, there’s really nothing I can do. They’re unlikely to listen to me explain reality to them.
Sometimes, though, this conversation happens because I’m consulting for an ESP or an Agency. They’ve brought me in to discuss deliverability with a customer or vendor. In those cases, it’s my job to keep going.
Your site doesn’t actually have a signup form. That’s because we’re in the middle of an upgrade cycle and had some problems with the back end. [Alternative: We stopped collecting new email addresses because of their deliverability problems and removed the form.] Your site has a signup form, and I signed up, but never got any mail from you. We disconnected the signup form while we handle our deliverability problems. [Alternative: That shouldn’t happen. We can forward you some messages instead.] I have received spam advertising your company. We had a rogue affiliate that we discovered was spamming and we cut them off.
No, this is direct from your IP space. Oh, well, you must have opted in and forgotten about it. [Alternative: We had a rogue sales guy, but we fired him for spamming.] Your company has only been in business for 3 years, this is an address I haven’t used since the ’90s. Oh, we probably bought a company that you opted into and so have permission that way.
That’s not really permission. Of course it is!
OK…. How can I help you. We want you to call Google / Yahoo / Hotmail and tell them we’re really a legitimate company that’s sending content and we shouldn’t be in the bulk folder.
What have you changed? Nothing! Why would we change anything? We’re great marketers. We have all these plans but need to get back to the inbox before we can implement them.
Um… there’s no filter setting for “laura says they’re a good sender.” They’re going to look for new sending patterns so let’s change a few things. Well, we recently removed 2/3 of our database, but it made no difference so we don’t know what else you think we can do.
Let’s talk about your technical setup.

July 2017: The month in email

August is here, and as usual, we’re discussing spam, permissions, bots, filters, delivery challenges, and best practices.

One of the things we see over and over again, both with marketers and with companies that send us email, is that permission is rarely binary — companies want a fair amount of wiggle room, or “implied permission” to send. There are plenty of examples of how companies try to dance around clear permissions, such as this opt form from a company we used to do business with. But there are lots of questions here: can you legitimately mail to addresses you haven’t interacted with in 5 years? 10 years? What’s the best way to re-engage, if at all?
We frequently get questions about how to address deliverability challenges, and I wrote up a post about some of the steps we take as we help our clients with this. These are short-term fixes; for long-term success, the most effective strategy is sending email that people want and expect. Engagement is always at the core of a sustainable email program.
We’ve also discussed the rise of B2B spam, and the ways in which marketing technologies contribute to the problem. B2B marketers struggle to use social and email channels appropriately to reach customers and prospects, but still need to be thoughtful about how they do it. I also wrote about some of the ways that marketing automation plugins facilitate spam and how companies should step up to address the problem. Here’s an example of what happens when the automation plugins go awry.
I wrote a few posts about domain management and the implications for security and fraud. The first was about how cousin domain names can set users up for phishing and fraud, and the second was a useful checklist for looking at your company’s domain management. We also looked at abuse across online communities, which is an increasing problem and one we’re very committed to fighting.
I also highlighted a few best practices this month: guidelines for choosing a new ESP and active buttons in the subject line for Gmail.
And finally, we celebrated the 80th birthday of the original SPAM. If you’re a regular reader of this blog, you probably already know why unwanted email is called SPAM, but just in case, here’s a refresher….

Marketing automation plugins facilitate spam

There’s been an explosion of “Google plugins” that facilitate spam through Gmail and G Suite. They have a similar set of features. Most of these features act to protect the spammer from spam filtering and the poor reputation that comes from purchasing lists and incessantly spamming targets. Some of these plugins have all the features of a full fledged ESP, except a SMTP server and a compliance / deliverability team.
I’ll give the folks creating these programs credit. They identified that the marketers want a way to send mail to purchased lists. But ESPs with good deliverability and reputations don’t allow purchased lists. ESPs that do allow purchased lists often have horrible delivery problems. Enter the spam enabling programs.
From the outside, the folks creating these programs have a design goal to permit spam without the negatives. What do I mean? I mean that the program feature set creates an environment where users can send spam without affect the rest of their mail.
The primary way the software prevents spam blocking is using Google, Amazon or Office 365 as their outbound mail server. Let’s be frank, these systems carry enough real mail, they’re unlikely to be widely blocked. These ISPs are also not geared up to deal with compliance the same way ESPs or consumer providers are.
There seem to be more and more of these companies around. I first learned of them when I started getting a lot of spam from vaguely legitimate companies through google mail servers. Some of them were even kind enough to inform me they were using Gmail as their marketing strategy.

I didn’t realize quite how big this space was, though. And it does seem to be getting even bigger.
Then a vendor in the space reached out looking for delivery help for them and their customers. Seems they were having some challenges getting mail into some ISPs. I told them I couldn’t help. They did mention 3 or 4 names of their competitors, to help me understand their business model.
Last week, one of the companies selling this sort of software asked me if I’d provide quotes for a blog article they were writing. This blog article was about various blocklists and how their software makes it such that their customers don’t really have to worry about blocking. According to the article, even domain based blocking isn’t an issue because they recommend using a domain completely separate from their actual domain. I declined to participate. I did spend a little time on their website just to see what they were doing.
This morning a vendor in the space joined one of the email slack channels I participate in asking for feedback on their software. Again, they provide software so companies can send spam through google outbound IPs. Discussions with the vendor made it clear that they take zero responsibility for how their software is used.
I don’t actually expect that even naming and shaming these companies facilitating spam will do anything to change their minds. They don’t care about the email ecosystem or how annoying their customers are. About the best they could do is accept opt-out requests from those of us who really don’t want to be bothered by their customers. Even that won’t really help, even domain based opt-outs are ineffective.
What needs to happen is companies like Google, Amazon and Microsoft need to step up and enforce their anti-spam policies.

Mike might be spamming, but why?

I’ve been talking a lot about ongoing B2B spam. That is, where senders drop your address into some sort of automation, that sends mail from gmail or amazon and just spams and spams and spams. This is what my mailbox looked like this morning

Yes, every one of those emails is sent to the same address. “you are still using the address laura-info@…” Well, no, actually. That was the original address I used as part of our contact on the first iteration of the WttW website. I stopped using that address somewhere around 2002? 3? It’s been a very long time in any case.
Folks, B2B spam is still spam. It doesn’t matter if you register a new domain and use Gmail as your outbounds as a way to avoid filters.
It doesn’t matter…

I'm not a customer any more

We recently moved co-working spaces, after 8 or 9 years in the same place. I’ll be up front here, we left Space A because I was annoyed with them. I’ve been increasingly unhappy with them for a while, but moving is a pain so just put up with them. But their most recent rent increase along with the lost packages, increasing deposit requirements and revolving door of incompetent staff finally drove us to find a new co-working space.
On the 15th of the last month of our contract, I started receiving marketing emails from Space A. I just deleted a couple of them but finally decided I didn’t want to ever see their name again. I tried to unsubscribe.

Gotta give them credit. Checkboxes for everything, except some of them are to opt-in and some of them are to opt-out. This is the kind of interface marketers use to confuse folks and limit the actual number of opt-outs. I’ll admit, the first time I tried to opt-out, I probably did it wrong. But, I know CAN SPAM says they have 10 days, and I know many marketers take advantage of that so I wait a while and keep deleting the messages that show up in my mailbox.
That was late June. By early July I realize it’s been more than 10 days and I’m still getting mail from them. So I click another opt-out link. This time I notice I need to uncheck most boxes, but check the bottom one. OK, fine, you got me, I didn’t read and didn’t correctly opt-out the first time. This time I will.
I continue to receive email. I continue to delete the email. We run our own mail system so I don’t have the benefit of a this-is-spam button, but you can bet if I did I would have used it, on every message I received after my first attempt to opt-out.
This week, after getting yet more mail, I start digging. What ESP are they using that’s bungling the opt-out process? Ah. I know that ESP. So I send in a complaint to abuse@ESP asking them to please make their customer stop mailing me. I also go, once again, to the preference page and submit an opt-out request. Because, hey, maybe third time is a charm?
12 hours later I get yet another mail from them. Really? REALLY? OK. Now I’m moving from annoyed to irate. First step: figure out if I know anyone working at said ESP. Ah, right, them. I have a lot of respect for this colleague, so I send a heads up pointing out that their customer isn’t honoring unsubscribes and can they take a look at what might have broken in their unsubscribe process.
This morning they tell me they looked into my subscription and have not registered any opt-out request until the one this week. The other two? Not recorded in their system. “Does this match your recollection of what happened?” No. No it doesn’t. I know I clicked on unsub links at least 3 times and only one of those clicks is recorded.
At this point, I’m pretty sure I’ll be suppressed by the ESP so I won’t have to get mail from Space A any longer. That fixes the annoyance on my end. But I can’t help thinking about how horrible this interaction was, both from a deliverability perspective and from a customer perspective.

Delete or read?

This week I attended a Data Visualization workshop presented by the Advanced Media Center at UC Berkeley. Every year I set at least one professional development goal; this year it’s learning how to better communicate visually.

Part of the class included other resources, which led me to Nathan Yau’s website. One of the articles on the front page of his site is titled “Email Deletion Flow Chart.” Well, of course I had to read the post.

Permission trumps good metrics

Most companies and senders will tell you they follow all the best practices. My experience says they follow the easy best practices. They’ll comply with technical best practices, they’ll tick all the boxes for content and formatting, they’ll make a nod to permission. Then they’re surprised that their mail delivery isn’t great.

The cycle goes on

Monday I published a blog post about the ongoing B2B spam and how annoying it is. I get so many of these they’re becoming an actual problem. 3, 4, 5 a day. And then there’s the ongoing “drip” messages at 4, 6, 8, 12 days. It is getting out of control. It’s spam. It’s annoying. And most of it’s breaking the law.
But, I can also use it as blog (and twitter!) fodder.

Reaching targets, the wrong way

I’ve been increasingly annoyed by these drip automation campaigns. You know the ones I mean. Senders use some software to find some flimsy pretext to send a mail. Then there emails drop every few days. Sometimes this cycle goes on for months. Most of these messages violate CAN SPAM. It’s annoying. It’s illegal. It is spam.
I can even opt out of most of these messages, they don’t offer that ability.

Disappearing domains

On May 31, British broadband provider EE discontinued service for a number of email domains: Orange.net, Orangehome.co.uk, Wanadoo.co.uk, Freeserve.co.uk, Fsbusiness.co.uk, Fslife.co.uk, Fsmail.net, Fsworld.co.uk, and Fsnet.co.uk.
These domains were acquired by EE as part of multiple mergers and acquisitions. On their help page, EE explains that the proliferation of free email services with advanced functionality has led to a decrease in email usage at these domains.
Yesterday, Terra.co.br announced they were discontinuing email to a number of their free domains as of June 30, 2017: terra.com, terra.com.ar, mi.terra.cl, terra.com.co, terra.com.mx, terra.com.pe, terra.com.ve, and terra.com.ec.

I’m not surprised to see these domains going away and I think we’ll see more of it going forward. The reasons are pretty simple. Mail is not an easy service to run. Mail doesn’t bring in a lot of money. Dedicated mailbox providers do a great job and the addresses from them are portable.

Random thoughts on spammers

I recently received a 419 spam that had a message at the top of the email.

Yup, a 419 spammer is trying to convince me there are millions of dollars waiting for me, but he won’t pay his software vendor 29.99 to comply with a license.
This is only the most recent in a long line of examples of spammers being cheap and attempting to steal services.
Back when I was working abuse almost every ISP had a story about a spammer who refused to pay their bill. Or spammers who were so high maintenance they cost the company money.
The company I worked for had a spammer that was on our system for far too long. Eventually they were cut off for non-payment and their hardware was confiscated. Still, the spammer came in and managed to remove the hardware before the building guards were alerted. It was disappointing, but at least they weren’t spamming off our network any longer.
Even now, ESPs share stories of customers who come in, spam and never pay their bill. Works for the spammer, they can get a few weeks of spamming in without having to pay for the service. They spew their stuff and leave a giant mess for the ESP to clean up. Next week, they’re on to the next ESP.
The real problem with this is that with enough ESPs and enough sends you can clean a list. This list can then be sold, or moved to a credible ESP without any of the tell tale signs of a purchased list. It’s so common it even has a name: waterfalling. It’s profitable, though, and there are enough small ESPs out there with little compliance experience that it can work.
I regularly get questions from folks who’ve worked themselves into a hole about swapping IPs or domains in order to get out of the hole. My answer is always the same. Changing identity might work in the short term, but it won’t work longer term. I also tell them that spammers have been trying to avoid filters for a lot longer than they have. Spammers are good at it, and still get caught in filters. Better to spend time trying to fix the underlying problem – typically users aren’t engaged with your mail – then trying to obfuscate who is sending the message to avoid filters.
Focus on sending good email that users want, rather than trying to avoid filters. That’s the key to getting into the inbox.

Shibboleet

Using unique addresses for signups gives me the ability to track how well companies are protecting customer data. If only one company ever had an address, and it’s now getting spam or phishing mail, then that company has had a data breach. The challenge then becomes getting the evidence and details to the right people inside the company.
In one case it was easy. I knew a number of people inside the company and knew they would take it seriously and pass it on to the folks in the best place to deal with it. I did. They did. They got their systems secured and notified customers and it was all taken care of.
Other cases aren’t as easy.
Many years ago I got mail from my credit card company to a unique address. This was long before SPF or DKIM and the mail contained links different from the company’s main domain. I called them up to see if this was real or not. They told me it wasn’t, because tier 1 support are trained to tell users everything is suspicious. Eventually, though, it became clear this wasn’t a phish, it was just bad marketing by the company.
A few years ago I reported a possible breach to representatives of a company while at a meeting. Coincidentally, the address only their company had started getting phishing and spam during the conference. I brought it up to them and followed their directions for reporting. They asserted the leak wasn’t on their end, but to this day I get multiple spams a day to that address. They claimed that the spammer was someone I was friends with on their website, but they could never quite demonstrate that to my satisfaction. I treat that site as only marginally secure and take care with the information I share.
After Target was breached they emailed me, out of the blue, to the address I use at Amazon. There was some level of partnership between Amazon and Target and it appears Amazon shared at least part of their database with Target. I talked with security folks at Amazon but they told me they had no comment.
Of course, on the flip side, I know how challenging it is to sort through reports and identify the ones that are valid and ones that aren’t. When I handled abuse@ we had a customer that provided a music sharing program. If a connection was interrupted the software would attempt to reconnect. Sometimes the connection was interrupted because the modem dropped and a new person would get the IP address while the software was trying to reconnect. This would cause a flood of requests to the new person’s computer. These requests would set off personal firewalls and they’d contact abuse to tell us of hacking. There wasn’t any hacking, of course, but they’d still argue with us. One of my co-workers had a nickname for these folks that was somewhat impolite.
We had to implement some barriers to complaints to sort out the home users with personal firewalls from the real security experts with real firewalls that were reporting actual security issues. So I get that you don’t always want or need to listen to J. Random Reporter about a security issue.
Sometimes, though, J. Random Reporter knows what they’re talking about.

Yeah, I spent the morning trying to get support at a company to connect me to security or pass a message along. Too bad there isn’t a security shibboleet.

A due diligence story

due diligence
noun. research and analysis of a company or organization done in preparation for a business transaction

It’s a term that’s been around for five centuries or so. Originally it meant the effort that was necessary for something, but it evolved into a legal term for “the care that a reasonable person takes to avoid harm to other persons or their property“.
More recently it’s evolved to mean “the research that a company should perform before engaging in a financial transaction“.
One aspect of that is doing at least a bare minimum of research on a customer before you let them take advantage of your reputation.
I just got some SMS spam from a short code, advertising two domains – 29designx.us and customlogocoupon.us. It’s SMS spam, so there’s no hidden content, no affiliate tags, just the bare domains. One spam has both domains in it, the other has 29designx.us twice.
According to the company that operates the SMS gateway this is a dedicated short code, not a shared code. In ESP terms that’s kinda equivalent to a customer on a dedicated IP address rather than one sharing a pool. Except much more so – short codes are a scarcer resource than IP addresses, with the US having fewer short codes in total than some ESPs have IP addresses.
What would 60 seconds of due diligence have told the SMS provider about this customer?
Let’s start by looking at the two websites.
They’re clearly built from the same template. Same annoying animation, same fake sale countdown timers, same live chat window.
The live chat was answered by Harvey (who is a real person, one I managed to annoy by talking with him through multiple live chat windows on their different sites simultaneously). Different ‘phone numbers though – 1-866-212-2217 for the coupon site vs 1-619-942-5964.
Then lets look at whois for the domains:
Domain Name: 29DESIGNX.US
Registrant Name: Mildred Smith
Registrant Organization: 29designs
Registrant Address1: 1854 Valley View Drive (that’s in Kansas)
Registrant City: Boston
Registrant State/Province: MA (not Boston, Massachusetts)
Registrant Postal Code: DN3 6GB (see note)
Registrant Country: UNITED KINGDOM (nor the United Kingdom)
Registrant Country Code: GB
Registrant Phone Number: +92.3233000306 (nor Pakistan)
Registrant Email: rhiannon.desir@gmail.com (gmail? rhiannon != Mildred)
Registrant Application Purpose: P1 (= business registration)
Registrant Nexus Category: C11
and
Domain Name: CUSTOMLOGOCOUPON.US
Registrant Name: Antonio R. Flores
Registrant Organization: Oranges Records & Tapes (see note)
Registrant Address1: 4243 Marie Street Annapolis (doesn’t exist)
Registrant City: MD
Registrant State/Province: MD
Registrant Postal Code: 21401
Registrant Country: United States
Registrant Country Code: US
Registrant Phone Number: +1.4108498868
Registrant Email: mj9729395@gmail.com (seven digit number, huh?)
Registrant Application Purpose: P3 (= personal website)
Registrant Nexus Category: C11
That’d make me suspicious enough to put the customer on hold and maybe doing a little actual investigation of them before allowing them to send. That’s the due diligence an ESP or SMS provider should do.

Laura is in Las Vegas today, so I have a little spare time. Let’s do the next level of investigation to find a little more. Nothing fancy, just some creative use of Google.
“DN3 6GB” is an interesting UK postcode. Not because Doncaster – the South Yorkshire town that “DN3” would imply – is particularly interesting, nor because of the fact that DN3 6GB doesn’t exist, despite being syntactically correct.
No. It’s interesting because it is the first postcode in a test suite for validating UK postcodes via regular expression so it’s all over developers forums and FAQs when people are talking about valid UK postcodes. Not only a fake, but a manually created fake.
“Orange’s Records and Tapes” is interesting too. It’s an odd looking business name to have attached to a logo design company. And the mention of “Tapes” looks rather dated. It seems to be a Chicago-based record store (or, possibly, small chain) that either went out of business or was bought out and the name abandoned quite some years ago. It’s still on some easily available lists of business names, though.
And it’s also in output from fakenamegenerator.com – a handy little site that generates fake names, email addresses, employer names, birth dates, credit card numbers and everything else you might want to have as test data. That makes me pretty sure that everything about customlogocoupon.us is fake.
Reverse whois search suggests that the same “Mildred Smith” also registered 29design.us, paperx.us, 99videos.us, 29designs.us and 99videoz.us. As well as the similarity in domain names, the sites that are up are using the same template as the first two sites and selling services in much the same style. And appear to use equally fake registration data.
We still have the ‘phone numbers published on the original sites…
The 866 number on customlogocoupon.us shows up in the contact information for logoventure.com and logoventure.net. They’re a small graphic design and flash animation company, consisting of Russell Bryant, Jessica Sandler, George Isaacson and Jason somebody. No Antonio R. Flores, and it’s a much more restrained site than the customlogocoupon.us hyperactivity.
The 619 number from 29designx.us shows up on animationsharks.com. Which is a little better designed, but still has the same live chat box manned by Harvey. (Hi, Harvey!). It’s been mentioned elsewhere in the SMS spam context too.
There’s no useful contact information on the site, and the domain registration data is falsified via Domains by Proxy (reasonable for a personal site, a bad sign on a business site).
My best guess is that animationsharks.com / 29designx.us / 29design.us / 29designns.com are the SMS spammers, while logoventure.com are a customer of theirs.
Hidden by CSS on the animationsharks.com site is a list of services, support and postal contact information that’s identical to that of a legitimate corporate animation studio based out of Boston. It’s possible that they just ripped off the site of another company, but it’s also possible it’s a side-job, something done by an ex-employee…
But that’s all I have time to look at now. Back to work.

Malicious email terms defined.

Legitimate mailers need to distinguish themselves from spammers. One important piece of that is knowing what spammers do. SendGrid has put together some information on common scams and techniques spammers use to get email delivered.
Some of these terms, like doxxing and swatting, are not specifically email related. However, they are used against people who are fighting abuse on the Internet. People who are actively investigating darker portions of the internet face real danger. Brian Krebs has made some of the harassment he’s received public. I know other people in the space have been harassed but don’t make it so public.
I think it’s valuable for marketers to understand the malicious and criminal end of mail. It makes some filtering decisions less random when you know the types of bad traffic that the filters are trying to stop. The SendGrid document is a fantastic first stop to learn about them.

Responding to complaints

I sent in a complaint to an ESP earlier today. This was mail from a major UK retailer to an address that is not used to sign up for mail. It’s part of an ongoing stream of spam related to UK services and products. I believe most of this is because one of the data selling companies has that address associated with someone who is not me.

I did explain I believed this was a purchased address but I’m wondering if I will get a response. The address isn’t one of those I regularly use so there isn’t a connection between “Laura, deliverability person” and “Laura, spam victim.” There are some industry folks who go out of their way to respond to my complaints. That’s always rewarding.
On a more theoretical level, I can make good arguments for responding and good arguments for not responding.

It's not fair

In the delivery space, stuff comes in cycles. We’re currently in a cycle where people are unhappy with spam filters. There are two reasons they’re unhappy: false positives and false negatives.
False positives are emails that the user doesn’t think is spam but goes into the bulk folder anyway.
Fales negatives are emails that the user does thing is spam but is delivered to the inbox.
I’ve sat on multiple calls over the course of my career, with clients and potential clients, where the question I cannot answer comes up. “Why do I still get spam?”
I have a lot of thoughts about this question and what it means for a discussion, how it should be answered and what the next steps are. But it’s important to understand that I, and most of my deliverability colleagues, hate this question. Yet we get it all the time. ISPs get it, too.
A big part of the answer is because spammers spend inordinate amounts of time and money trying to figure out how to break filters. In fact, back in 2006 the FTC fined a company almost a million dollars for using deceptive techniques to try and get into filters. One of the things this company did would be to have folks manually create emails to test filters. Once they found a piece of text that would get into the inbox, they’d spam until the filters caught up. Then, they’d start testing content again to see what would get past the filters. Repeat.
This wasn’t some fly by night company. They had beautiful offices in San Francisco with conference rooms overlooking Treasure Island. They were profitable. They were spammers. Of course, not long after the FTC fined them, they filed bankruptcy and disappeared.
Other spammers create and cultivate vast networks of IP addresses and domains to be used in snowshoeing operations. Still other spammers create criminal acts to hijack reputation of legitimate senders to make it to the inbox.
Why do you still get spam? That’s a bit like asking why people speed or run red lights. You still get spam because spammers invest a lot of money and time into sending you spam. They’re OK with only a small percentage of emails getting through filters, they’ll just make it up in volume.
Spam still exists because spammers still exist.

What about the spamtraps?

I’ve been slammed the last few days and blogging is that thing that is falling by the wayside most. I don’t expect this to change much in the very short term. But, I do have over 1200 blog posts, some of which are still relevant. So I’ll be pulling some older posts out and sharing them here while I’m slammed and don’t have a lot of time left over to generate new content.
Today’s repost is a 2015 post about spamtraps.
Spamtraps are …
… addresses that did not or could not sign up to receive mail from a sender.
… often mistakenly entered into signup forms (typos or people who don’t know their email addresses).
… often found on older lists.
… sometimes scraped off websites and sold by list brokers.
… sometimes caused by terrible bounce management.
… only a symptom …

Use all the channels

One of the hardest deliverability situations to address is when all mail from a certain sender is going to the bulk folder. I’ve had numerous clients come to me to address this situation over the years. Ideally, clients come to me before all their mail is going to bulk. Then we can make some tweaks and changes to their mail program, repair the reputation and then recover other addresses. We have knobs we can twist to fix things if some people are still getting messages in their inbox. We have data to measure.
When all mail is going to bulk, though, we lose access to the knobs and the data. There are zero complaints if mail is going to bulk. There are no opens or clicks, because many ISPs disable images and links in the bulk folder. Our normal “fixing reputation” tools are taken away from us.
Senders with all their mail going to bulk are faced with a profound challenge. How can they engage customers who are unengaged and who are not seeing mail at all? How can we fix deliverability when our normal tools and metrics are unavailable?
If we can get even a small percentage of recipients to go pull mail out of bulk or spam and move it to their inbox, then we’re well on our way to repairing reputation. But how can we get them to go look for the mail in the bulk folder. Recent Litmus research suggests that a significant percentage of folks regularly check their spam folder, but this isn’t always enough to repair reputation,
The question becomes how can the senders encourage recipients to go digging through their spam folder.
This is the point where I start quizzing clients on what other channels they use to communicate with their customers. I’ll run through the whole list: social media, snail mail, push notices through apps, SMS, website popups, Facebook ads. I work with them to identify users who are engaged with their brand and brainstorm ways to get those users to look for mail.
I’m always pleased to see large brands using these strategies. Just recently Blizzard used twitter to communicate with their users about email problems. They tweeted.
BlizzardTweet
The link takes you to the Blizzard support site. Where they give specific instructions on how to whitelist mail and what mail to whitelist.

Google and Amazon and B2B spam

Many of the operational goals of a commercial spammer aren’t related to email delivery at all, rather they revolve around optimizing ROI and minimizing costs. That’s even more true when the spammer isn’t trying to sell their own product, rather they’re making money by sending spam for other companies.
Most legitimate network providers pay at least lip service to not allowing abusive behaviour such as spam from their networks, so a spammer has to make a few choices about what infrastructure to use to optimize their costs.
They can be open about who they are and what they do, and host with a reputable network provider, and build out mailservers much as any legitimate ESP would do. But eventually they’ll get blacklisted by one of the more reputable reputation providers – leading to little of their mail being delivered, and increasing the pressure on their provider to terminate them. They social engineer their provider’s abuse desk, and drag their feet, and make small changes, but eventually they’ll need to move to another provider. Both the delaying tactics and the finally moving are expensive.
Or they can host with a network provider who doesn’t care about abuse from their network, and do the same thing. But they’ll still get blacklisted and, unlike on a more reputable network, they’re much less likely to get any benefit of the doubt from any reputation providers.
Every time they get blacklisted they can move to a new network provider. That’s easy to do if your infrastructure is virtual machine based and moving providers just involves buying a new hosting account. But as anyone who’s heard the phrase “ramping-up” knows mail from new network space is treated with suspicion, and as they’re continually moving their mail won’t reach the inbox much.
Preemptively spreading the sources of your spam across many different IP addresses on different providers, and sending spam out at low enough levels from each address that you’re less likely to be noticed is another approach. This is snowshoe spam and spam filters are getting better at detecting it.
What to do? In order to get mail delivered to the inbox the spammer needs to be sending from somewhere with a good reputation, ideally intermingled with lots of legitimate email, so that the false-positive induced pain of blocking the mailstream would be worse than their spam. That’s one reason a lot of spammers send through legitimate ESPs. They’re still having to jump from provider to provider as they’re terminated, but now they’re relying on the delivery reputation of the shared IP pools at each new ESP they jump to. But that still takes work to move between ESPs. And ESP policy enforcement people talk to each other…
As a spammer you want your mail to be sent from somewhere with good reputation, somewhere you can use many different accounts, so your spam is spread across many of them, flying below the radar. Ideally you wouldn’t have any documented connection to those accounts, so your activity won’t show up on any aggregated monitoring or reporting.
If nothing in the mail sent out identifies you there is nowhere for recipients to focus their ire. And if recipients can’t tell that the hundreds of pieces of spam in their inbox came from a single spammer, they’re much less likely to focus efforts on blocking that mail stream.
Over the past couple of years I’ve seen a new approach from dedicated B2B spammers, the sort who sell “buy and upload a list, blast out something advertising your company, track responses, send multiple mails over a series of weeks” services to salespeople. They’re the ones who tend to have glossy, legitimate websites, talking about “lead nurturing”, “automated drip campaigns” or “outreach automation”.
They have each of their customers sign up for gmail or google apps accounts, or use their existing google apps accounts, and then the spammer funnels the spam sent on behalf of that customer through that google account. There’s no obvious connection between the spammer and the google account so there’s no risk to the spammer. Google is fairly unresponsive to spam complaints, so as long as the volume sent by each customer isn’t spectacularly high it’s going to be well below Google automation’s threshold of notice.
Google do record where mail that’s injected into their infrastructure in this way comes from, in the Received headers. But the spammers run their sending infrastructure – list management, message composition, tracking and so on – on anonymous, throwaway virtual machines hosted on Amazon’s EC2 cloud, so there’s nothing in the email that leads back to the spammer.
And, for recipients, that’s a problem. Spam filters aren’t going to block this sort of mail, as they can’t easily tell it is this sort of mail. It’s coming from Google MTAs, just like a lot of legitimate mail does. In terms of sheer volume it’s dwarfed by botnet sourced mail or dubious B2B manufacturing spam out of Shenzhen. But, unlike most of that, it’s in your inbox, in front of your eyeballs and costing you time and focus. And that’s much more expensive than network infrastructure or mailbox storage space.
I’m not sure what, if anything, Google or Amazon can do about it at scale, but it’s something that’s going to need to be dealt with eventually.
Meanwhile, if you receive some marginally personalized mail from a sales rep, one attempting to look like 1:1 mail, look at the headers. If you see something like this …

If I can't tell, it's spam

Judging by the amount of B2B spams I’ve gotten this past week, a number of businesses got bright, shiny new email programs for Christmas. “Like to set up a call with you…” “Just need 10 minutes of your time to explore…” “Love to jump on a call and tell you about our product…”
That’s just the mail that comes into my personal address. There’s also a raft of mail coming into our contact address. The majority of those are trying to sell me FB or Twitter followers, although Instagram is rising in the ranks. Some of those messages are kinda funny, though. They try so hard to pretend there’s a real person who really did look at our website and who really has a comment.
Most of the time it’s pretty obvious that it’s not from a human. But every once in a while a message comes in that might be from a real person. I’ve finally decided that if I have any question if a message was written by a human or a bot, it will be treated as written by a bot.
Unfair? Maybe. But I’m a small business owner and a consultant; I don’t have tons of spare time to sit around letting folks pitch me on their business. I don’t think I’m actually that unusual when it comes to entrepreneurs. We’re busy, we don’t like distractions and we go out and search for the things we actually do need.

Outreach or spam?

This showed up in my mailbox earlier today:

The tweet in question

From Crunchbase: “Pluck is an email prospecting tool that gives you the email addresses of the people tweeting about subjects related to your business.”
Prospecting: another name for spamming. Look, I know that you want to sell you’re newest, greatest product to the world. But just because I tweet something with a # that you think is relevant to your product doesn’t mean that I want to get your spam. I also know it’s hard to get attention and find prospects; I’m a small business owner, too and I need to market my own services. But spamming isn’t a good idea. Ever.
There’s been a significant increase in this kind of spam “to help your business” lately. It’s a rare day I don’t get something from some company I’ve never heard of trying to sell me their newest product. It might be something if they tried a contact or two and then went away. But they’ll send mail for weeks or months without getting an answer. Look, silence IS an answer and it means you need to go away and leave your prospects alone.
Unfortunately, there are services out there that sell a product that let you “automatically follow up” with your prospects. Pluck up there uses one of them, as that’s who’s handling all the links in the message. In fact, if you go to the bare domain (qcml.io) they talk a good anti-spam game. “Die, spammers, die.” I reported the message to them. I’m not expecting them to actually do anything, and I’m not expecting a response.
It’s just spam under another name. There’s no pretense that it’s anything else. Even if it’s sent in a way that makes it look like a real person typed the message, like QuickMail offers. “All emails will come straight out of your personal inbox as though you typed them yourself.” As if you typed them yourself.
The worst part is there’s no real way to stop the mail. I can’t unsubscribe. The companies selling the software don’t provide any guidance to their customers about what the law requires. Take the message from Pluck that started the post. It violates CAN SPAM in multiple ways. Moreover, the address they used is not publicly associated with my twitter handle, which means they’re doing some harvesting somewhere. That means treble penalties under CAN SPAM.
I could reply and ask them to stop mailing me. I’ve done that a couple times with a message that says, “Please don’t email me any more.” I’ve got to tell you, some people get really mad when you ask them not to email you. Some just say yes, but others are really offended that you asked them to stop and get abusive. It’s gotten to the point where I don’t ask any more because of that one person who decides to harass, threaten and scream at me. Sure, it’s maybe 1 in 5, but I don’t have the time or energy to figure out who is going to be receptive and who isn’t. I don’t have time for that. No one has time for that.
I’m expecting that filters are going to catch up eventually and these types of mail will be easier to filter out. Until then, though, small business owners like myself are stuck in a place where we have to deal with spam distracting us from our business. At least I get blog content out of it.

Targeted marketing done badly

There was quite a bit of content I cut out on my rant about parasites in the email ecosystem earlier this week. I had whole section on people who ask to connect on LinkedIn and then immediately send a pitch or scrape your address and add it to their marketing automation software and start spamming. Generally, the only reason I will drop someone off LinkedIn is because they do this.

Today, one of the deliverability mailing lists has been hopping over spam many folks in the industry received. The discussion started off simple enough, someone said “Is <companyname> spamming the industry?” People immediately chimed in that yeah, it did appear so.
A few people said they’d gotten the message and thought it was personal and were disappointed it wasn’t. Others weren’t sure why they were chosen to receive this message, or why some of their co-workers were chosen. A few of us didn’t get them. I didn’t.
This is a great example of marketing that was reasonably well planned, but a total fail for not knowing their audience. The product in question is an anti-abuse product. The company wants to reach people in the anti-abuse industry. They go off and find people in the anti-abuse industry and send them an email. Mail that seems personalized. It was a perfectly reasonable email. It asked questions and did get some people to engage with it by replying. They even appear to have done A/B testing on subject lines.
All solid marketing decisions. All great things to do.
But, the anti-abuse community is small, particularly the ESP anti-abuse community. We talk on mailing lists, IRC, LinkedIn, Facebook and Slack – and those are just the places I’m connected to. I’m sure there are other meeting places. The fact is, we’re a community and we do interact. If you’re going to try and do something like this, you have to expect that we’re going to realize you’re spamming. And many of us have very low tolerance for this kind of stuff.
A few years ago I worked with some senders who acquired most of their email addresses from technical conferences. They had a lot of delivery problems because a lot of their audience were the people who wrote and maintained filters. Spam the person who writes a spam filter and you may find yourself locked out from all of those filter users. I finally realized I couldn’t help those clients. No amount of technical perfection, personalization, looking like one-to-one mail or magic address cleaning is going to make this audience want your mail.
Marketing starts at understanding your audience. Permission is one of the better ways to understand your audience. Marketing to the anti-abuse crowd is a challenge. I can’t see any place where unsolicited email successfully fits into that plan.

Parasites hurt email marketing

As a small business owner I am a ripe target for many companies. They buy my address from some lead generation firm, or they scrape it off LinkedIn, and they send me a message that pretends to be personalized but isn’t really.
“I looked at your website… we have a list of email addresses to sell you.”
“We offer cold calling services… can I set up a call with you?”
“I have scheduled a meeting tomorrow so I can tell you about our product that will solve all your technical issues and is also a floor wax.”
None of these emails are anything more than spam. They’re fake personalized. There’s no permission. On a good day they’ll have an opt out link. On a normal day they might include an actual name.
These are messages coming to an email address I’ve spent years trying to protect from getting onto mailing lists. I don’t do fishbowls, I’m careful about who I give my card to, I never use it to sign up for anything. And, still, that has all been for naught.
I don’t really blame the senders, I mean I do, they’re the ones that bought my address and then invested in business automation software that sends me regular emails trying to get me to give them a phone number. Or a contact for “the right person at your business to talk to about this great offer that will change your business.”
The real blame lies with the people who pretend that B2B spam is somehow not spam. Who have pivoted their businesses from selling consumer lists to business lists because permission doesn’t matter when it comes to businesses. The real blame lies with companies who sell “marketing automation software” that plugs into their Google Apps account and hijacks their reputation to get to the inbox. The real blame lies with list cleansing companies who sell list buyers a cleansing service that only hides the evidence of spamming.
There are so many parasites in the email space. They take time, energy and resources from large and small businesses, offering them services that seem good, but really are worthless.
The biologically interesting thing about parasites, though, is that they do better if they don’t overwhelm the host system. They have to stay small. They have to stay hidden. They have to not cause too much harm, otherwise the host system will fight back.
Email fights back too. Parasites will find it harder and harder to get mail delivered in any volume as the host system adapts to them. Already if I look in my junk folder, my filters are correctly flagging these messages as spam. And my filters see a very small portion of mail. Filtering companies and the business email hosting systems have a much broader view and much better defenses.
These emails annoy me, but I know that they are a short term problem. As more and more businesses move to hosted services, like Google Apps and Office365 the permission rules are going to apply to business addresses as well as consumer addresses. The parasites selling products and services to small business owners can’t overwhelm email. The defenses will step in first.

Almost time to vote

I have to admit, the closer we get to election day the more distracted I’m getting. This will be the 8th presidential election I’m eligible to vote in and one I’m following closely. We even watched the 2nd debate live on the trip over to the UK.

As with the 2008 and 2012 election, email marketing is a huge portion of candidate strategy. Many companies have been tracking how the candidates are using email. Return Path has pulled together a lot of interesting data on their Election Archives, and many other ESPs have thrown their two cents in when it comes to election email.
When this election season started, feels like 10-gazillion years ago now, I started signing up for different candidate lists to see what they were doing with email. I quickly fell behind when so many Republican candidates through their hat in the ring. By that point, I knew other folks were monitoring email and reporting on email and decided to drop the project. I just couldn’t keep up and other people could do it better.
We did comment on the Trump campaign spamming foreign leaders. I think it’s important to realize that deliverability rules don’t get thrown out the window simply because you have an important name or are running for president. A few years ago, one campaign was SBLed on election night and their ESP cut them off. I happen to know the person running compliance there and they supported that candidate but policies are policies.
We also shared a post from someone speculating about how Secy Clinton had access to a private server. The speculation was somewhat wrong, in that the server was already there and set up for Pres. Clinton when he left office. But other than that, much of the other stuff that’s come out has made it clear that email in the State Department was a total mess. I still think a private server was way more secure than an @gmail.com or @aol.com account; it was absolutely more secure than a Yahoo.com account.
This election is important, so I encourage all my readers to get out and vote next Tuesday. There’s more to vote on than just the presidency, too. Here in California we have something like 17 ballot initiatives. Yay, Democracy?
I suspect many folks are in a similar boat and finding it hard to concentrate on things beside the election. So much feels up in the air and important and it’s like we’re all holding our collective breath. After being in the UK last month, I realized how much elections have consequences. The falling pound made it great for us as visitors. But it’s not all sunshine and roses as companies try and sort out how they can absorb a loss in buying power on the open market.
Go vote. It’s important.

August 2016: The Month in Email

August was a busy month for both Word to the Wise and the larger world of email infrastructure.

A significant subscription attack targeted .gov addresses, ESPs and over a hundred other industry targets. I wrote about it as it began, and Spamhaus chief executive Steve Linford weighed in in our comments thread. As it continued, we worked with M³AAWG and other industry leaders to share data and coordinate efforts to help senders recover from the attack.
In the aftermath, we wrote several posts about abuse, blocklists, how the industry handles these attacks currently, and how we might address these issues going forward. And obviously this has been on my mind before this attack — I posted about ongoing problems with internet security, how open subscription forms contribute to the problem, and other ways that companies inadvertently support phishing operations.
I posted about the history of email, and recounted some of my earliest experiences, when I had a .bitnet and a .gov address. Did you use email before SMTP? Before email clients? I’d be curious to hear your stories.
Speaking of email clients, I did two posts about how mail gets displayed to the end user: Gmail is displaying authentication results, which should provide end users with a bit more transparency about how authentication is used to deliver or block messages, and Microsoft is partnering with Litmus to improve some of the display issues people face using Outlook. These are both notable — if this is not your first time reading this blog, you know about my constant refrain that delivery is a function of sending people mail they want to engage with. If the mail is properly formatted and displayed, and people have a high degree of confidence that it’s been sent from someone they want to get mail from, that goes a long way towards improving engagement in the channel.
On that note, I spoke at length with Derek Harding about how marketers might change their thinking on deliverability, and he wrote that up for ClickZ. I also participated in the creation of Adobe’s excellent Teaching the Email Marketer How to Fish document (no, not phish…).
Steve was very busy behind the scenes this month thinking about abuse-related topics in light of the SBL issues, but he wrote up a quick post about the Traffic Light Protocol, which is used to denote sensitive information as it is shared.
Finally, for my Ask Laura column this month, I answered questions about delivery and engagement metrics and about permissions with purchased lists. As always, if you have a general question about email delivery, send it along and I’ll consider it for the column.

Abuse, triage and data sharing

The recent subscription bombs have started me thinking about how online organizations handle abuse, or don’t as the case may be. Deciding what to address is all about severity. More severe incidents are handled first. Triage is critical, there’s never really enough time or resources to investigate abuse.

What makes an event severe? The answer is more complicated that one might think. Some of the things that ISP folks look at while triaging incoming complaints include:

Ask Laura: Is it spam?

Politician sends spam, experiences consequences, news at 11

Over the weekend I’ve been seeing a number of over the top, hyperbolic blog posts about the Trump Campaign’s agency getting suspended from their ESP for spamming. Adestra suspended the Donald Trump campaign for “for committing some of the most egregious spamming in the history of the Internet in an effort to save his broke campaign.”
That quote about “most egregious spamming” is from some partisan website that is all about making Trump look bad. I did actually laugh out loud reading most egregious. Let’s be real here. This incidence of spamming doesn’t even make it into the top 100 of the ones I know about. And it’s not like I’m particularly well up on who’s spamming what.
This really is business as usual in the email space and particularly the political email space. Political sender, be they special interest groups or politicians, are sloppy with permission and will send mail to any email address they get their hands on. I talked about this last week: Spam Filtering is Apolitical

The Trump campaign isn’t the first political campaign to send spam. It wasn’t huge news in 2012, but the Romney campaign was doing some bad stuff with their email marketing. They were working with snowshoe spammers. They were listed on the SBL. They got cut off by their ESP.
While Spamhaus doesn’t keep historic records, I found a post from 2012 on the “Mainsleaze” about the Romney campaign / supporters and their use of spam as a campaign tactic. In the comments on that post a representative of Spamhaus says, “Entirely too many political operatives and some of those who work with them at ESPs feel entitled to ignore the usual rules and send opt-out bulk email to anybody they wish.” This is true, and something I’ve repeatedly mentioned on this blog.

Spam, campaign statistics and red flag URLs

It’s not often spammers send me their campaign statistics, but on Tuesday one did.
The spam came “from” news@udemy.com, used udemy.com in the HELO and message-ids and, sure enough, was advertising udemy.com:

June 2016: The Month in Email

We’re officially halfway through 2016, and looking forward to a slightly less hectic month around here. I hope you’re enjoying your summer (or winter, for those of you in the Southern Hemisphere).

Harvesting Addresses from LinkedIn

There seems to have been an uptick in the number of folks harvesting addresses from their LinkedIn contacts and adding them to mailing lists. I’ve been seeing this in my own mailbox. I’m getting added to different lists and because I used a tagged address I know these folks are harvesting from LinkedIn.
This behavior is really rude. Just because someone accepted your contact request on LinkedIn, doesn’t mean they want to be added to any mailing lists you may have. Let’s be honest, some people have hundreds or thousands of LinkedIn contacts. They’re not going to want to get mail from all of them.
This behavior risks your ESP account. I know of ESPs who have disconnected customers for importing all their LinkedIn contacts.
Of course, there are ways to effectively use your LinkedIn contacts. The short version is think about what you’re doing and how your mail will be received. Don’t grab all your contacts, be selective about who you choose. Have too many contacts to go through manually? That’s not an excuse, in fact, it’s an even bigger argument for not becoming a spammer.

I’ve previously written things you must consider when sending bulk mail to people who have connected with you on social networks.

Bad data drives delivery problems

It’s a wild election season here in the US. In the past few presidential elections, email has played a bigger and bigger role in messaging and fundraising. President Obama’s campaign used email effectively, but sent huge volumes. In fact, the volume was so heavy, it led to a joke on the Daily Show.

Sanford Wallace goes to Jail

Sanford Wallace has been sentenced to 2 years in jail by the US District court in San Jose for contempt of court and electronic mail fraud. Sanford has been around for more than 2 decades. He is one of the spammers that drove me to learn how to read headers and report spam back in the late nineties.

Sanford has been in and out of courts and the news almost as long as he’s been spamming. When I dug into Pacer this morning to grab a copy of the sentencing report I see multiple cases, some going back as far as 1996. There aren’t electronic records for Concentric Network v. Wallace, et al. (case: 5:96-cv-20829-RMW) but the final disposition of the case says “Permanent Injunction.”

Memories of Spam in May

This morning on Facebook a friend posted a picture saying that 15 years ago was the very first anti-spam conference (Spamcon*). All we have are some blurry scans of pictures and coffee mugs.
.
That 550 sign belonged to the bar where the night out was held. It got bought by K & P and lived in their garden until it rotted away a few years ago. So many folks who are still active in the space, and so many folks who’ve moved on. Names I’d forgotten, faces I haven’t.
Many of those folks are still working in email. Some on the sending side, some on the tools and vendor side, some on the ISP side, some on the consulting side. That conference was one of the very first times people publicly gathered to talk about spam. There were other occasions, but most were invite only with hand picked representatives of specific companies.
At that first Spamcon I was freshly laid off from MAPS (now Trend Micro). I was considering what next. The thing is, I really liked the work I was doing. MAPS had me leading a team to provide abuse desk as an outsourced service. We had a very large network provider as a customer and we were handling all the mail that came into abuse@ there. It was a challenge, I was creating processes and documenting policy, trying to do more with less and managing my first team ever.
Much of what I do now, here, grew out of that position. It was clear even then there was a need for someone who could help navigate the challenges of email.
In the same thread another person posted pictures from a social night in DC during the FTC Spam Forum. More folks, some I have lost touch with and some who are still friends and colleagues.
We were so young. All of us.
This is yet another form of community that email created. Some of it was built over email, but a lot of it happened on USENET and IRC and local meetups. There were so many ways we built community using plain text and dialup. The technology has changed, and that community from a dozen years ago has changed but it’s still all the same deep down inside.

(* If, at any point, you see me type Spamconk instead of Spamcon please blame autocorrect. It’s being difficult and even tries to correct it when I go back and edit sentences.)

Your purchased list … is spam.

This morning I got spam from someone selling email addresses. The mail starts:

Let's talk CAN SPAM

Earlier this week I posted about the increased amount of B2B spam I’m receiving. One message is not a huge deal and I just delete and move on. But many folks are using marketing automation to send a series of emails. These emails often violate CAN SPAM in one way or another.
This has been the law for 13 years now, I find it difficult to believe marketers are still unaware of what it says. But, for the sake of argument, let’s talk about CAN SPAM.

Podbox Expert Interview Series

Last month I did an interview with Podbox about email, deliverability and how I became an email expert (breaking things, lots of breaking things… and having to pick up the pieces and fix them…)
Check out the interview over on their website.

I’ve been thinking a lot about history and longevity. Next year will mark 10 years of the Word to the Wise blog and 20 years of me entering the anti-spam / deliverability space. That’s a lot of time. When I first started fighting spam it was really about my mailbox and getting rid of the junk I was receiving. At the time, a lot of people thought it was silly to spend so much effort fighting spam.
But as time as gone on, email spam and fraud became a big deal. Criminals realized they could use spam to further their gains at the expense of people. Spam is a network problem. Spam is a danger.
Personally, I’ve moved away from fighting spam. I’m now working more on making and keeping email a useful tool. Yes, that does include commercial email. Yes, it does include bulk email. Helping people get the mail they want in their inbox is a part of keeping the email ecosystem healthy. It’s the part I can do and the part I am good at.
Seeing email become such an important part of commerce, communication and modern life has been a journey. I look forward to seeing where the next 20 years takes us.

Ugg, a spammer.

I’ve written before about how there is some (I’m sure lovely) woman in the UK who has been connected to my email address. I get a lot of mail for her. Mostly spam. She doesn’t seem to be using the address, but I regularly get mail addressed to MRS. LAURA CORBISHLEY (all caps, always). Typically these messages are advertising various UK stores and products. Sometimes they’re mortgage offers. A few have been sweepstakes only open to UK residents.

I generally forward these spams off to various blocklists with the note it’s my “UK spamtrap” and they take whatever actions seem appropriate to them.
Today, though, I got my first US spam to Mrs. Laura Corbishly. From a Yesmail customer called sanuk.com. I’m getting a website error (they get smacked for spamming already?) but a little research tells me this is shoe company that owns a bunch of brands, including Ugg.
Yes, Ugg a Spammer. They even even have a disclaimer at the bottom of the email telling me they’re a spammer!
2016-03-21_14-35-54
Not so much, no. It appears, though, that the data brokers selling Mrs. Corbishley’s name connected to my email address have figured out that no one ever actually acts on any of their UK offers. So now they’re selling into the US market in hopes that they might entice a purchase?
On a purely nosy level, I’d love to know who was selling the address. First off, I’d love to know where they got this info in the first place. Secondly, what horrible database are they using that keeps name data in all caps? (When I get email to this trap I think they’re shouting at me, as if I’m the one who is wrong about my name. Maybe they think if they yell at me loud enough will I decide I really am the happy wife of Mr. Corbishley of Swindon, UK. )
I do tell clients that it’s useful to remind customers that they signed up for mail, especially if they haven’t mailed for a while. So I know not every email with a “you opted in” reminder is spam, but I only notice those things when I haven’t opted in. It’s something I mostly gloss over if I really did opt-in. I wonder if this is how other folks react to “you opted in” notices, too.
I do recommend the reminder be much more specific than “you opted in at our website.” Give the user a date, a time, something that isn’t just something any company can, and many do, make up.

Things to read: March 9, 2016

It’s sometimes hard for me to keep up with what other people are saying and discussing about email marketing. I’ve been trying to be more active on LinkedIn, but there are just so many good marketing and delivery blogs out there I can’t keep up with all of them.

Here are a couple interesting things I’ve read in the last week.
Five Steps to Stay Out of the Spam Folder. Conceptually easy, sometimes hard to pull off in practice, these recommendations mirror many things I say here and tell my clients about delivery. The audience is in charge and your recipients are the best ally you can have when it comes to getting into the inbox.
Which states are the biggest sources of spam?. California and New York top the list, but the next two states are a little surprising. Over on Spamresource, Al points out the two next states have some unique laws that may affect the data. I just remember back in the day there were a lot of spammers in Michigan, I’m surprised there’s still a significant volume from there.
CASL didn’t destroy Canadian email. Despite concerns that CASL would destroy the Canadian email marketing industry, the industry is going strong and expanding. In fact, spending on email marketing in Canada was up more than 14% in 2015 and is on track to be up another 10% this year. Additionally, according to eMarketer lists are performing better because they’re cleaner.
A brief history of email. Part of the Guardian’s tribute to Ray Tomlinson, the person who sent the first email. Ray’s work literally changed lives. I know my life would be significantly different if there wasn’t email. Can you imagine trying to be a deliverability consultant without email? 🙂

Mandrill changes

Last week Mandrill announced that they were discontinuing their free services and all customers would be required to have a corresponding paid Mailchimp account.

The truth matters.

Call within the next 10 minutes…
Consumers with last names starting with O – Z can call tomorrow…
Only 5 seats left at this price!

All of these are common marketing techniques designed to prompt consumers to buy. It’s not a new idea, create a sense of urgency and people are more likely to buy.
I think some marketers are so used to making outrageous claims to support their marketing goals, that it doesn’t occur to them that the truth matters to some people.
There’s almost no better way to get me to send in a spam complaint than to send me an email with a claim about how I opted in.
Example:

Spamhaus reports Verizon routing hijacked IPs

Late last week Spamhaus published a blog post detailing their investigation into Verizon routing millions of IP addresses hijacked by spammers.
The Spamhaus blog post goes into some detail about what hijacked routing is.

What do you think about these hot button issues?

It’s been one of those weeks where blogging is a challenge. Not because I don’t have much to say, but because I don’t have much constructive to say. Rants can be entertaining, even to write. But they’re not very helpful in terms of what do we need to change and how do we move forward.
A few different things I read or saw brought out the rants this week. Some of these are issues I don’t have answers to, and some of them are issues where I just disagree with folks, but have nothing more useful to say than, “You’re wrong.” I don’t even always have an answer to why they’re wrong, they’re just wrong.
I thought today I’d bring up the issues that made me so ranty and list the two different points of views about them and see what readers think about them. (Those of you who follow me on Facebook probably know which ones my positions are, but I’m going to try and be neutral about my specific positions.)

Dealing with blocklists, deliverability and abuse people

There are a lot of things all of us in the deliverability, abuse and blocklist space have heard, over and over and over again. They’re so common they’re running jokes in the industry. These phrases are used by spammers, but a lot of non-spammers seem to use them as well.
The most famous is probably “I’m sure they’ll unblock me if I can just explain my business model.” Trust me, the folks blocking your mail don’t want to hear about your business model. They just want you to stop doing whatever it is you’re doing. In fact, I’m one of the few people in the space who actually wants to hear about your business model – so I can help you reach your goals without doing things that get you blocked.
A few months ago, after getting off yet another phone call where I talked clients down from explaining their business model to Spamhaus, I put together list of phrases that senders really shouldn’t use when talking to their ESP, a blocklist provider or an abuse desk. I posted it to a closed list and one of the participants put it together into a bingo card.

A lot of these statements are valid marketing and business statements. But the folks responsible for blocking mail don’t really care. They just want their users to be happy with the mail they receive.

Finally! Spam has a purpose

Author Julie Czerneda posted about some of her writing techniques on Jim C. Hines’ blog today. Julie is one of my favorite authors. She’s a biologist so her science writing flows well for me. Too many folks try to write biology and get little nitpicky details wrong and it can disrupt the whole book for me. I spend way too much time thinking about the actual biology and lose track of the plot.
One part of her post stood out and made me smile, though.

Silly Spam

I was cleaning out my inbox over the weekend and found a spam that actually made me laugh.

Yes, it is spam advertising the “Official Greed[sic] Card Lottery.” It’s been 20 years since I’ve seen one of those!

September 2015: The month in email

September’s big adventure was our trip to Stockholm, where I gave the keynote address at the APSIS Conference (Look for a wrapup post with beautiful photos of palaces soon!) and had lots of interesting conversations about all things email-related.
Now that we’re back, we’re working with clients as they prepare for the holiday mailing season. We wrote a post on why it’s so important to make sure you’ve optimized your deliverability strategy and resolved any open issues well in advance of your sends. Steve covered some similar territory in his post “Outrunning the Bear”. If you haven’t started planning, start now. If you need some help, give us a call.
In that post, we talked a bit about the increased volumes of both marketing and transactional email during the holiday season, and I did a followup post this week about how transactional email is defined — or not — both by practice and by law. I also wrote a bit about reputation and once again emphasized that sending mail people actually want is really the only strategy that can work in the long term.
While we were gone, I got a lot of spam, including a depressing amount of what I call “legitimate spam” — not just porn and pharmaceuticals, but legitimate companies with appalling address acquisition and sending strategies. I also wrote about spamtraps again (bookmark this post if you need more information on spamtraps, as I linked to several previous discussions we’ve had on the subject) and how we need to start viewing them as symptoms of larger list problems, not something that, once eradicated, means a list is healthy. I also posted about Jan Schaumann’s survey on internet operations, and how this relates to the larger discussions we’ve had on the power of systems administrators to manage mail (see Meri’s excellent post here<).
I wrote about privacy and tracking online and how it’s shifted over the past two decades. With marketers collecting and tracking more and more data, including personally-identifiable information (PII), the risks of organizational doxxing are significant. Moreso than ever before, marketers need to be aware of security issues. On the topic of security and cybercrime, Steve posted about two factor authentication, and how companies might consider providing incentives for customers to adopt this model.

Spammers, eh?

I’m back from a fun and successful trip to the APSIS Email Marketing Evolved conference. Of course, this means I’m digging out my mailboxes and going through mail I’ve ignored for the past week. It’s amazing how the spam builds up when I’m not tending to it every day.

It's not about the spamtraps

I’ve talked about spamtraps in the past but they keep coming up in so many different discussions I have with people about delivery that I feel the need to write another blog post about them.
Spamtraps are …
… addresses that did not or could not sign up to receive mail from a sender.
… often mistakenly entered into signup forms (typos or people who don’t know their email addresses).
… often found on older lists.
… sometimes scraped off websites and sold by list brokers.
… sometimes caused by terrible bounce management.
… only a symptom …

Your system; your rules

In the late 90s I was reasonably active in the anti-spam community and in trying to protect mailboxes. There were a couple catchphrases that developed as a bit of shorthand for discussions. One of them was “my server, my rules.” The underlying idea was that someone owned the different systems on the internet, and as owners of those systems they had the right to make usage rules for them. These rules can be about what system users can do (AUPs and terms of service) or what about what other people can do (web surfers or email senders).
I think this is still a decent guiding principle in “my network, my rules”. I do believe that network owners can choose what traffic and behavior they will allow on their network. But these days it’s a little different than it was when my dialup was actually a PPP shell account and seeing a URL on a television ad was a major surprise.
But ISPs are not what they once were. They are publicly owned, global companies with billion dollar market caps. The internet isn’t just the playground of college students and researchers, just about anyone in the US can get online – even if they don’t own a computer there is public internet access in many areas. Some of us have access to the internet in our pockets.
They still own the systems. They still make the rules. But the rules have to balance different constituencies including users and stockholders. Budgets are bigger, but there’s still a limited amount of money to go around. Decisions have to be made. These decisions translate into what traffic the ISP allows on the network. Those decisions are implemented by the employees. Sometimes they screw up. Sometimes they overstep. Sometimes they do the wrong thing. Implementation is hard and one of the things I really push with my clients. Make sure processes do what you think they do.
A long way of dancing around the idea that individual people can make policy decisions we disagree with on their networks, and third parties have no say in them. But those policy decisions need to be made in accordance with internal policies and processes. People can’t just randomly block things without consequences if they violate policies or block things that shouldn’t be blocked.
Ironically, today one of the major telcos managed to accidentally splash their 8xx number database. 8xx numbers are out all over the country while they search for backups to restore the database. This is business critical for thousands of companies, and is probably costing companies money right and left. Accidents can result in bigger problems than malice.

August 2015: The month in review

It’s been a busy blogging month and we’ve all written about challenges and best practices. I found myself advocating that any company that does email marketing really must have a well-defined delivery strategy. Email is such vital part of how most companies communicate with customers and potential customers, and the delivery landscape continues to increase in complexity (see my post on pattern matching for a more abstract look at how people tend to think about filters and getting to the inbox). Successful email marketers are proactive about delivery strategy and are able to respond quickly as issues arise. Stay tuned for more from us on this topic.
I also wrote up some deliverability advice for the DNC, which I think is valuable for anyone looking at how to maintain engagement with a list over time. It’s also worth thinking about in the context of how to re-engage a list that may have been stagnant for a while. A comment on that post inspired a followup discussion about how delivery decisions get made, and whether an individual person in the process could impact something like an election through these delivery decisions. What do you think?
As we frequently point out, “best practices” in delivery evolve over time, and all too often, companies set up mail programs and never go back to check that things continue to run properly. We talked about how to check your tech, as well as what to monitor during and after a send. Josh wrote about utilizing all of your data across multiple mail streams, which is critical for understanding how you’re engaging with your recipients, as well as the importance of continuous testing to see what content and presentation strategies work best for those recipients.
Speaking of recipients, we wrote a bit about online identity and the implications of unverified email addresses in regards to the Ashley Madison hack and cautioned about false data and what might result from the release of that data.
Steve’s in-depth technical series for August was a two-part look at TXT records — what they are and how to use them — and he explains that the ways people use these, properly and improperly, can have a real impact on your sends.
In spam news, the self-proclaimed Spam King Sanford Wallace is still spamming, despite numerous judgments against him and his most recent guilty plea this month. For anyone else still confused about spam, the FTC answered some questions on the topic. It’s a good intro or refresher to share with colleagues. We also wrote about the impact of botnets on the inbox (TL;DR version: not much. The bulk of the problem for end users continues to be people making poor marketing decisions.) In other fraud news, we wrote about a significant spearphishing case and how DMARC may or may not help companies protect themselves.

Still Spamming…

This morning I woke up to news that Sanford Wallace pled guilty to spamming. Again.
Sanford was one of the very early spammers (savetrees.com). He moved to email from junk faxing when Congress made junk faxing illegal in 2005. He sued AOL when AOL blocked his mail. He lost and the courts maintained that blocking spam was not a violation of the sender’s rights. Sanford then moved on to using open relays to avoid blocks. He was eventually disconnected from his backbone provider (AGIS) for abuse. Sanford sued AGIS for breach of contract and was reconnected for a brief period of time.
After his disconnection from AGIS, Sanford and a few of the other folks proposed a backbone provider that allowed bulk email marketing. That never really went anywhere.
Reading these old articles is a major blast in the past. The legal case between AGIS and Cyberpromotions was the event that led to my involvement in email marketing and spam. I even spent a Saturday afternoon in the late 90s with about a dozen people on a con call with Sanford and Walt talking about his backbone idea. My position was pretty simple: it wasn’t going to work, but as long as there was consent it was his network and he could do what he wanted.
I kinda lost track, just because he moved onto other ways of advertising and I got deeper and deeper into deliverability consulting. He did show up on my radar a few years ago when Facebook sued him for breaking into user accounts and using those accounts to spam. He lost a $711 million dollar judgement to Facebook, but given he didn’t have the resources the judge in that case recommended criminal charges.
Criminal charges were filed a few years later. Yesterday, Sanford pled guilty to fraud and criminal contempt as well as violating a court order to stay off Facebook’s network.
He now faces $250,000 in fines and up to 16 years in jail. Given his history, I expect he’ll figure out some way to still send spam even if he’s locked up.
Sanford is one of the reasons so many folks have such a low opinion of anyone who describes their business as “legitimate email marketing.” Sanford used the same phrase back in the late 90s. Of course no one, with the possible exception of him, actually believed that. But when someone like that adopts the moniker “legitimate email marketer” it’s hard to take them seriously when someone like Sanford has been using that since the late 90s.

Ashley Madison Compromise

Last month Brian Krebs reported that the Ashley Madison database was compromised. Ashley Madison is a dating site that targets married folks who are looking to have affairs. Needless to say, there is a lot of risk for users if their data is found on the released data. Today what is supposedly the Ashley Madison data was released.
The release of this data can have some significant impacts on the site members. Of course there’s the problem of credit card numbers being stolen, but that’s something most of us have to deal with on a regular basis. But there can also be significant relationship repercussions if/when a spouse discovers that their partner has registered on a site to have affairs.
When I first heard of the compromise I wondered if they had my data. You see, they have one of my spamtraps on their unsubscribe list. It just so happened that I visited an unsubscribe link, hosted by Ashley Madison (http://unsub.ashleymadison.com/?ref=2). This was during the time when I decided to unsubscribe from all the spam coming into one of my spamtraps. Is my email address going to be a part of this data dump? If my email address is there, what name do they have associated with it? This is the trap that gets mail addressed to multiple other people. Maybe it’s my email address but their name. Are they at risk for relationship problems or legal problems due to my attempt to unsubscribe?
Of course, Ashley Madison had no incentive to make sure their data was correct. In fact, they were sued for faking data to entice paying members. How much of the released data is false and will there be real harm due to that?
I expect in the next few days someone (or multiple someones) will put up a website where those of us who are curious can search the data. I just hope that people realize how much of the data is likely to be false. Even Arstechnica cautions readers from jumping to conclusions.

Are botnets really the spam problem?

Over the last few years I’ve been hearing some people claim that botnets are the real spam problem and that if you can find a sender then they’re not a problem. Much of this is said in the context of hating on Canada for passing a law that requires senders actually get permission before sending email.
Botnets are a problem online. They’re a problem in a lot of ways. They can be used for denial of service attacks. They can be used to mine bitcoins. They can be used to host viruses. They can be used to send spam. They are a problem and a lot of people spend a lot of time and money trying to take down botnets.
For the typical end user, though, botnets are a minor contributor to spam in the inbox. Major ISPs, throughout the world, have worked together to address botnets and minimize the spam traffic from them. Those actions have been effective and many users never see botnet spam in their inbox, either because it’s blocked during send or blocked during receipt.
Most of the spam end users have to deal with is coming from people who nominally follow CAN SPAM. They have a real address at the bottom of the email. They’re using real ISPs or ESPs. They have unsubscribe links. Probably some of the mail is going to opt-in recipients. This mail is tricky, and expensive, to block, so a lot more of it gets through.
Much of this mail is sent by companies using real ISP connections. Brian Krebs, who I’ve mentioned before, wrote an article about one hosting company who previously supported a number of legal spammers. This hosting company was making $150,000 a month by letting customers send CAN SPAM legal mail. But the mail was unwanted enough that AOL blocked all of the network IP space – not just the spammer space, but all the IP space.
It’s an easy decision to block botnet sources. The amount of real mail coming from botnet space is zero. It’s a much bigger and more difficult decision to block legitimate sources of emails because there’s so much garbage coming from nearby IPs. What AOL did is a last resort when it’s clear the ISP isn’t going to stop spam coming out from their space.
Botnets are a problem. But quasi legitimate spammers are a bigger problem for filter admins and end users. Quasi legitimate spammers tend to hide behind ISPs and innocent customers. Some send off shared pools at ESPs and hide their traffic in the midst of wanted mail. They’re a bigger problem because the mail is harder to filter. They are bigger problems because a small portion of their recipients actually do want their mail. They’re bigger problems because some ISPs take their money and look the other way.
Botnets are easy to block, which makes them a solved problem. Spam from fixed IPs is harder to deal with and a bigger problem for endusers and filters.

4 things spammers do legitimate marketers don't

I’ve never met a spammer that claims to be a spammer. Most that I’ve met claim to be legitimate marketers (or high volume email deployers). But there are things spammers do that I never expect to see a legitimate marketer doing.
I’ve written about these things throughout the blog (tag: TWSD), but it’s probably time to actually pull them together into a single post.

Don't like opt-outs? Target your program better.

I get a LOT of spam here. Most of it is marked and trivial to get rid of. Some of it is what I would call semi-legitimate. It’s a real product, but I never asked to receive any information from this company and am not actually part of their demographic. For one time things I just hit delete and move on. Life is too short to complain or opt out of every spam I get. (Tried that, got more mail)
But sometimes if the same sender keeps bothering me, I will send back an email asking them to cease contact. I recently had an occasion where someone sent an initial email trying to sell me bulk SMS, online video and other services. I ignored it because we’re not in the market for any of these services. A week later I get a followup asking why I hadn’t provided feedback to them and if there was a better person to talk to at the company. I looked for a way to opt-out of this message stream, but there wasn’t one. I send a reply telling them we were not interested in speaking to them and to please cease all communication. (“You didn’t receive feedback because I have no interest in talking to you. Please cease all future contact.” Admittedly that was terse, but it was polite.)
My request to cease communication was not well received, nor was it honored. Mind you, they first contacted me trying to sell me services that are totally off what we offer. When I asked them not to contact me, they turned it around that we’d lost business.

CRTC fines Compu-Finder $1.1 million for CASL violations

The Canadian Radio-television and Telecommunications Commission (CRTC) is the principle agency tasked with enforcing Canada’s anti-spam law. Today they issued a Notice of Violation to Compu-Finder including a $1.1 million dollar fine for 4 violations of CASL. The violations include sending unsolicited email and having a non-working unsubscribe link. According to the CRTC, complaints about Compu-Finder accounted for 26% of all complaints submitted about this industry sector.
This is the first major fine announced under CASL.
One of the first things that jumped out at me about this is the action was taken against B2B mail. There are a lot of senders out there who think nothing of sending unsolicited emails to business addresses. In my experience, many B2B senders think permission is much less important for them than B2C senders. I think that this enforcement action demonstrates that, at least to the CRTC, permission is required for B2B mail.
The other thing that jumped out is that given the extent of the complaints (26%) the financial penalties were only slightly more than 10% of the $10M maximum penalty. It seems the CRTC is not blindly applying the maximum penalty, but is instead actually applying some discretion to the fines.
I’ve looked for the actual notice of violation, but haven’t been able to find a copy. If I find it, I will share.

Mary Litynski Award winner Jayne Hitchcock

This morning the Messaging, Mobile and Malware Anti-Abuse Working Group announced the winner of the Mary Litynski Award.
Congratulations to Jayne Hitchcock of WHO@ for her work over the last 2 decades fighting online abuse and cyberstalking.
I’ve never actually met Jayne, but I do remember following her story in the late 90s. She started off trying to protect people from being scammed by Woodside Literary Agency. In return for her work to inform and protect people the principals of Woodside set out on a multi-year harassment campaign against her.
This was in the late 90s and the Internet was very new. There weren’t any laws. There weren’t really abuse desks. We had to protect each other. Law enforcement didn’t know what to do with problems. There weren’t any laws against harassment online. The word “cyberstalking” was created by a reporter when describing what was happening to Jayne.
Jayne has been a force for good online and she and her volunteers help people who are victims of abuse online and cyberstalking. She’s been instrumental in getting anti-cyberstalking laws passed and helping law enforcement understand why online abuse is an issue and that it should be addressed.

January 2015 – The Month in Email

It’s February already! January went fast, right? At WttW, we are gearing up for MAAWG SF later this month — will we see you there?
We started the year with a set of predictions about email. Mostly we think email will continue to be great at some things and not-so-great at other things, and we’ll keep fighting the good fight to make it better.
As always, I’m interested in filters and how spammers continue to work around them to reach the inbox. I also wrote about how the language of an email impacts delivery, and wrote an expanded response to a comment suggesting email filters should be illegal. You can guess where I stand on that (and if you can’t, perhaps you might read more about how email is an inherently malicious traffic stream…)
I also took a moment to point out a trend I’m really enjoying, which is the rise of content marketing (a.k.a. giving customers useful and interesting information they can’t find elsewhere). As I said in the post, I’ll be curious to see how ROI plays out with this strategy.
We also talked about some of the less exciting content we see in email, notably the infamous Murkowski Statement, by which a spammer declares “Nope! Nothing to see over here!”
Steve also pointed out some content shenanigans in the form of hidden preview text, with some additional clarification from the original marketer in the comments.
In industry news, the big story was that Microsoft has partially implemented DMARC for Office365, and was the first to make a public statement about the specific ways they’ve chosen to implement. In my post, I did a walkthrough of a message to illustrate a bit about how this works, which might be useful if you’re trying to wrap your head around DMARC implementations.
We also talked about consolidation in the ESP space, and got a number of comments from readers about who they think might be next. Shortly thereafter, Listcast was acquired by MailerMailer.
Josh noted a few major shutdowns: Yahoo China email services and the AHBL list. The latter explores the challenges inherent in decommissioning a blacklist, and there’s a good discussion in the comments, so you might check it out if you missed that earlier this month.
Josh also pointed to the Salesforce State of Marketing report, which is always a useful set of metrics about how marketers are using email and other channels. It’s definitely worth a read.

Language as filtering criteria

A few months ago I was working on a delivery audit for a client who sends mail in multiple languages. We discovered that the language of an email has a significant delivery impact. The same email in different languages was delivered differently, particularly at Gmail. Emails in a language I don’t normally receive email in were delivered to my bulk folder.
Other folks have commented on similar things. Some filters really do look at preferred language of the recipient and treat mail in other languages as problematic. I don’t think that’s unreasonable. I do get a lot of foreign language spam and there’s no real way to stop it. Many countries don’t require opt-out links, and so there isn’t a clear way to even unsubscribe.
Writing in the recipient’s local language is one way to minimize inappropriate blocking, even when you have permission to send mail.

Dodging filters makes for effective spamming

Spam is still 80 – 90% of global email volume, depending on which study look at. Most of that spam doesn’t make it to the inbox; ISPs reject a lot of it during the SMTP transaction and put much of rest of it in the bulk folder. But as the volumes of spam have grown, ISPs and filters are relying more and more on automation. Gone are the days when a team of people could manually review spam and tune filters. There’s just too much of it out there for it to be cost effective to manually review filters.
In some ways, though, automatic filters are easier to avoid than manual filters. Take a spam that I received at multiple addresses today. It’s an advertisement for lists to “meet my marketing needs.” I started out looking at this mail to walk readers through all of the reasons I distrusted this mail. But some testing, the same sorts of testing I do for client mails, told me that this mail was making it to the inbox at major ISPs.
What told me this mail was spam? Let’s look at the evidence.

December 2014: The month in email

2014 has been a busy and exciting year at Word to the Wise (look for more on that in a year-end wrap-up post next week!) and this month was particularly thrilling for us as we officially doubled our size with the addition of Josh and Meri on our client services team.
If you’re a regular reader of our blog, you’ve probably spotted Josh’s byline on a few posts: Google’s Inbox Team answers questions on Reddit, which looks at what this new email client portends for both consumers and email marketers, and M3AAWG Recommends TLS, which reviews M3AAWG’s recommendation that mailbox providers phase out SSL encryption in favor of TLS. Look for more smart insights from Josh in 2015.
Steve contributed a post on the proper syntax for displaying a friendly email address, and a very helpful guide for generating useful test data that doesn’t compromise personally identifiable information from your actual customer data. He also detailed the brief DBL false positive from Spamhaus’ new “Abused-Legit” sub-zone and best practices for handling unrecognized responses.
I wrote about some of the subtleties inherent in how brands decide to “converse” with customers in email and other channels. We’ll just keep saying it: companies need to respect the inbox as personal space. I want to thank both Steve and Josh for picking up my slack on blogging. 7+ years is a long time to try and say new things on the blog and I needed a bit of a break.

Spam is about invading other people's space

At the recent Sendgrid Emailmatter’s conference Sally Lehman advised attendees to “Treat someone’s inbox like it was their home.” This is advice I’ve been giving clients for a long time. I think it’s even more relevant now as so many people have data enabled phones and are checking email so frequently. It’s not just their home, it’s their personal space they can take with them.
Seanan McGuire, a friend and NY Times bestselling author, wrote a blog post today about how she views promotion and marketing as an artist and someone who is expected to promote her work. She also talks about what it feels like to be a target of promotion and offers some advice about how to promote your products online. She talks about how she, as an author and creative type, is expected to do some level of self promotion and how that promotion is done in her space – whether that space be on twitter or her blog.

Email problems are costly

Last week Zulily released their quarterly earnings. Their earnings’ report was disappointing, resulting in a drop in their stock prices. The chairman of the company told reporters on a conference call that part of the reason for the drop in earnings were due to deliverability problems “at a large ISP.”

Disposable addresses

Both Steve and I have blogged about how we use tagged addresses to monitor and manage our incoming mail. This is not something unique to our system, but rather a feature that’s existed in many mail systems for a long time. Many unix systems support tagged addresses out of the box, but there are also commercial MTAs and even some webmail services that support tags.
Gmail offers “+ addressing” where users can use unique tags after their username. This gives every gmail use an unlimited number of addresses to use. Any address gets leaked or compromised, and you can set filters to ignore future mail to that particular tagged address.
Yahoo offers up to 500 unique addresses per account. Initially this was a service provided by OtherInbox, now owned by Return Path, but it’s not clear if that’s still the case.
Spamgourmet has been offering disposable addresses since 2000. Their system has a built in limit on the number of emails a particular email will receive, which can help control the incoming volume.
Spamex is another provider of disposable addresses that’s been around for years and is providing services that allow recipients to control their incoming mail.
New on the scene is MeAndMyID.com who popped up in the comments here today. They are offering disposable addresses, free for a lifetime, if you sign up soon.
There are also the “short term” or “open inbox” disposable addresses like Malinator or 10 Minute Mail
I find disposable addresses invaluable for sorting through the mail coming into my account. A bank email to an address I didn’t give the bank? It’s a phish. A pizza hut email to an untagged address? Not real. Target emails to an address only given to Amazon? Amazon is selling or giving addresses away in violation of their privacy policy. Unexpected email from a vendor, but to a tagged address? Time to unsubscribe as I’ve lived this long without their mail.

Spam, Phish or Malware?

Some mornings I check mail from my phone. This showed up this morning.

My first thought was “oh, no, Pizza Hut is spamming, wonder who sold them my address.”
Then I remembered that iOS is horrible and won’t show you anything other than the Friendly From and maybe it was some weird phishing scheme.
When I got to my real mail client I checked headers, and sure enough, it wasn’t really from Pizza Hut. I’m guessing actually malware, but I don’t have a forensics machine to click the link and I’m not doing it on anything I can’t wipe (and have isolated from the rest of my network).
The frustrating thing for me is that this is an authenticated email. It not from Pizza Hut, the address belongs to some company in France. Apparently, that company has had their systems cracked and malware sent through them. Fully authenticated malware, pretending to be Pizza Hut, and passing authentication on various devices.
Pizza Hut isn’t currently publishing a DMARC record, but in this case, a DMARC record for Pizza Hut wouldn’t matter. None of the email addresses in the headers point to Pizza Hut.
I spent last week listening to a lot of people discussing DMARC and authentication and protecting people from scams and headers. But those all the protocols in the world won’t protect against this kind of thing. Phishing and malware can’t be fixed by technology alone. Even if every domain on the planet published a p=reject policy, mail like this would still get through.

CASL enforcement

As most people know, the Canadian Anti-Spam Law (CASL) went into effect July 1 of this year. This month, the CRTC concluded its first investigation.

Email marketing not dead yet

If Forrester research is to be believe, email marketing is feeling better. In fact, it seems email marketing is more effective than ever.

Who pays for spam?

A couple weeks ago, I published a blog post about monetizing the complaint stream. The premise was that ESPs could offer lower base rates for sending if the customer agreed to pay per complaint. The idea came to me while talking with a deliverability expert at a major ESP. One of their potential customer wanted the ESP to allow them to mail purchased lists. The customer even offered to indemnify the ESP and assume all legal risk for mailing purchased lists.
While on the surface this may seem like a generous offer, there aren’t many legal liabilities associated with sending email. Follow a few basic rules that most of us learn in Kindergarten (say your name, stop poking when asked, don’t lie) and there’s no chance you’ll be legally liable for your actions.
Legal liability is not really the concern for most ESPs. The bigger issues for ESPs including overall sending reputation and cost associated with resolving a block. The idea behind monetizing the complaint stream was making the customer bear some of the risk for bad sends. ESP customers do a lot of bad things, up to and including spamming, without having any financial consequences for the behavior. By sharing in the non-legal consequences of spamming, the customer may feel some of the effect of their bad decisions.
Right now, ESPs really protect customers from consequences. The ESP pays for the compliance team. The ESP handles negotiations with ISPs and filtering companies. The cost of this is partially built into the sending pricing, but if there is a big problem, the ESP ends up shouldering the bulk of the resolution costs. In some cases, the ESP even loses revenue as they disconnect the sender.
ESPs hide the cost of bad decisions from customers and do not incentivize customers to make good decisions. Maybe if they started making customers shoulder some of the financial liability for spamming there’d be less spamming.

Unsubscribing is hard

A comment came through on my post about unsubscribing that helpfully told me that the problem was I didn’t unsubscribe correctly.
As you know, there are usually two unsubscribe options in many of the bulk senders emails. Are you unsubscribing from the global or the offer unsub? Unless you are unsubscribing from both, you will still be on the lists.
To address the underlying question, I did unsubscribe from both links for those very few mails in my mailbox that had double unsubscribe links. I know that some spammers use multiple unsubscribe links in their emails. We routinely recommend clients not use 3rd party mailers with double unsubscribes because it’s a clear sign the 3rd party mailer is a spammer.
Given the presence of double unsubscribes I generally assume the point is to confuse recipients. By having multiple unsubscribe links the spammers can ignore unsubscribe requests with the excuse that “you unsubscribed from the wrong link.” Plausible deniability at its finest. The best part for the spammer is that it doesn’t matter which unsubscribe link the recipient picks, it will always be the Wrong One.
I’ve been dealing with spam since the late 90s, and have been professionally consulting on delivery for over 14 years. If I can’t figure out what link to use to unsubscribe, how is anyone supposed to figure out how to make mail stop?
In some cases, the unsubscribe links admitted that the address I was trying to unsubscribe was already removed from the list. They helpfully refused to let me unsubscribe again through their form. But they offered a second way to unsubscribe.

The address I was unsubscribing was the same one I was unsubscribing. Some of the emails even helpfully told me “this email was sent to trapaddress@” which is the address in the above screenshot.
I’m sure my friend will come back and comment with “why didn’t you unsubscribe by forwarding the email?” Because I was spending enough time unsubscribing as it was, and I didn’t want to have to try and navigate yet another unsubscribe process. I knew they weren’t going to stop mailing me, no matter what hoops I jumped through.
I’m not saying that all unsubscribe processes are broken, there are millions and millions of emails sent every day with simple and effective unsubscribe links. What I am saying is that there is a lot of mail getting to inboxes that users never requested nor wanted. “Just unsubscribing” from this mail Does Not Work. It just keeps coming and coming and coming.
But of course, the mail still coming is my fault, as I was unable to correctly unsubscribe. 53635233

Yes, spam is actually still a problem

I hear a lot of people claim that spam isn’t really a problem any more. That filters are so good that the average user doesn’t see a lot of spam and if they do get “legitimate” mail that they can just opt out.
These are great sounding arguments, the problem is that those arguments aren’t always true.
There is an address I stopped using for commercial mail around 1997 and all mail around 2002. It still gets hundreds of emails a month.
Those hundreds of emails a month are despite the fact that the address is behind commercial spam filters. It’s been on “flamers lists.” It’s on the “do not mail” list that came with the “Millions CD.”
In addition, I am very open with clients (and their affiliates) that this is a “spam trap” address. I’ve handed it out to dozens and dozens of companies over the years describing it as my spam trap address.
In November 2013, I unsubscribed from every single email received at that account – at least those that had unsubscribe links.
What does the mail volume look like now?

If anything unsubscribing made the volume problems worse. In the best case it lowered the volume briefly to something approaching 10 emails a day.
There are currently over 500 messages I’ve received so far in August. These are messages advertising companies like Laura Ashley, MetLife, Military.com, Quibids, Walk In Tubs, Sainsbury’s, Bloomburg, Fidelity, Oral B, Lasix Vision Institute, Virgin Broadband, ClickNLoan, Timeshares, iMotors, Walmart, oil changes, Experian, Credit monitoring, Life insurance, ADT, CHW Home Warranty, Health Plans of America, Bosley Hair Solutions, Jillian Michaels Online, restaurant coupons, credit cards, SBA loans, and that’s before we get to the Garcinia cambogia, herbal viagra and clearly fraudulent stuff.
This account, that hasn’t been subscribed to anything in more than 10 years is getting hundreds of unasked for emails a month, even with the benefit of commercial filters. It appears to be being sold or traded in multiple countries (Laura Ashley, Virgin Broadband and Sainsbury’s are all in the UK). I don’t want this mail. I have tried to stop getting this mail.
Yes, spam is still a problem.

Email saves trees!

The arrival of my first spam email was a bit of a shock. I’d been on the internet for years by that point and had never seen junk mail in my inbox. Of course, the Internet was a very different place. The web was still a toddler. There was no email marketing industry. In fact, there wasn’t much commerce on the web at all. Much of the “surfing” I did was using gopher and ftp rather than the fancy new web browser called NCSA Mosaic. To share pictures we actually had to send printouts by postal mail.
It wasn’t just getting spam that was memorable (oh, great! now my inbox is going to look like my postal box, stuffed full of things I don’t want), it was the domain name: savetrees.com. Built into the domain name was an entire argument defending spam on the grounds of environmental friendliness. By sending spam instead of postal mail we could save the earth. Anyone who didn’t like it was morally corrupt and must hate the planet.
Why do I mention this history? During a discussion on a list for marketers earlier this week, multiple people mentioned that email marketing was clearly and obviously the much more environmentally sound way to do things. I mentioned this over on Facebook and one of my librarian friends (who was one of the people I was email friends with back in those early days) started doing her thing.
She posted her findings over on the Environmental News Bits blog: The comparative environmental impact of email and paper mail. It’s well worth a read, if only because a lot of companies have really looked into the issue in great detail. Much greater detail than I thought was being put into the issue.
I shared one of the links she found, the 2009 McAfee study, with the email marketing group discussing the issue. (You may want to put down the drinks before reading the next line.) It was universally panned as marketing and therefore the conclusions couldn’t be trusted.
Anyone who pays any attention knows that nothing we do and none of the choices we make are environmentally neutral. Plastic bags were supposed to save trees from becoming paper bags, but turned into an environmental mess of their own.
Simple slogans like “email saves trees” might make marketers feel better, and may have gained Cyberpromo a strong customer base in the early days. But the reality is different.

The DMA: Email marketing or spam?

A few weeks ago, I signed up for a webinar from the DMA. As is my normal process I used a tagged address. I don’t remember any notification that I would be signing up for mail, and I generally do look for those kinds of things. I also know a lot of webinars are used to drive sales processes and I prefer not to waste sales time if I’m not actually looking to purchase.
In recent weeks I have gotten an ongoing stream of marketing messages from the DMA. I’ve tried to opt-out, but the DMA don’t actually want me to opt-out. Each marketing message is a different type of message from a different list. Each list must be opted out of individually.
First it was Conferences, then it was Education, then it was Awards, then Events. I’m trying to figure out what’s next and how many more times the DMA is going to get to spam me before I just turn that address into a spam trap.
And before you tell me that I can’t make an address a spam trap, think about that a little bit. I never opted this mail in to receive anything but the webinar confirmation. I’ve dutifully opted out each and every time the DMA has mailed me. I’ve even tried to opt-out of all mail. Unfortunately, the DMA has placed the “opt-out of all mail” behind a registration wall, one I cannot get to as I do not have (or want) a DMA account.
DMASignOn
The DMA is sending me mail I did not request and do not want. They have made it impossible for me to determine how much mail I will get. They have made it difficult for me to opt-out of all their mail.
This is an example of bad email marketing. I’m sure that the DMA will tell me this is all permission based email. I disagree. This is an example of the DMA taking permission. This is not an example of a sender asking for permission. I didn’t give permission to be added to all these DMA lists, and I have no way to actually revoke the permission that they took from me.
I signed up for a second webinar with this email address, one related to CASL. The irony is that the DMA’s behavior here is a violation of a number of points of CASL. First, there was no clear opt-in notice on the website. Second, CASL requires parity between opt-in and opt-out. If I opt-in once then I should be able to opt-out once. CASL puts an end to this opt-in once, opt-out dozens of times process.
I wish I could say I was disappointed in the DMA. But I’m barely surprised. Their track record is poor and they have typically fallen on the side of “I have consent until you force me to acknowledge that I don’t.” In this case, the DMA is demonstrating that quite clearly. They will keep spamming and spamming and spamming. I have no doubt were I to actually register an account, they would continue to spam me with “account notifications” that I was unable to opt-out of because they are transactional, membership messages.

Spam disclaimer of the day

Things are extremely busy here so blogging is not getting quite the attention it should. I hope to return to more extensive posts soon. Meanwhile, you’ll have to put up with short posts.
Today is a disclaimer I received in a spam. This is one of my addresses that has, somehow, ended up on UK-specific lists.

You paid money for that?

I just got a call from someone claiming that I “filled out an online form” asking for more information about “an online education.” When pressed, the nice woman kept changing her story about who she was calling for or how she got my phone number. Eventually she admitted that they have a collection of 50 or more websites and it’s very possible that I didn’t give them my information directly.
She did want to reassure me that I had “no obligation to respond.”
How very thoughtful of her to reassure me that some random person giving her my corporate phone number does not obligate me to anything.
I don’t believe for a second that anyone who knows me signed me up to receive information. But I do appear to have gotten on some new mailing list recently. I’m getting a lot of ‘internship’ and ‘summer work’ offers in snail mail. These advertisements that are clearly targeting a different demographic than the one I belong to.
At least 4 companies (so far) seem to have paid good money for totally fake information about me. Of course, when they’re calling or sending me mail there’s no way I can stop it or fix it. I can’t even tell them their vendor is giving them bad information. I guess I just have to take comfort in the fact that they are wasting their money. I only wish they weren’t wasting my time as well.
This is just one example of why purchasing information, or trusting information filled into websites, is a bad idea. The company selling my information makes their profit and it doesn’t matter that their information is bad. If it really was someone filling in my information, that person is wasting the company’s time.
I’ve worked with marketers long enough to know that they just consider the bad data a cost of doing business. Data integrity just isn’t relevant to making a profit. Send enough email, send enough postcards, ring enough phones and profit appears. Even if their targets aren’t what they were sold.

What are affiliate mailers?

Affiliate mailers collect email addresses and then rent access to those addresses out to 3rd parties. There are a wide range of vendors that fall into the affiliate category. Some vendors compile lists through co-registration, others compile lists themselves through website opt-ins and some affiliate vendors fulfill mailing requests by hiring affiliates. There are, of course, some senders in the affiliate space that don’t even pretend to send opt-in mail, they just buy, compile or harvest addresses and blast mail to those addresses.

Stop telling me how great Spamarrest is

Late last year, Al wrote a piece discussing how Spamarrest lost a court case. In the comments on that piece I described how much I really detest Spamarrest because of all the spam I get from Spamarrest users. Every few weeks, someone notices that post again and points it out to Spamarrest users who then come over here to tell me how wonderful Spamarrest is for them.
I Get It. You like Spamarrest because it keeps spam out of your inbox.
The problem is Spamarrest (and any other challenge response setup) contributes to spam in my inbox. I have addresses that get forged into spam all the time. When that happens, I get dozens of Spamarrest challenges, clogging up MY inbox.
I don’t want to do your spam filtering for you. I really don’t. And if you ask me if you should receive a piece of email, I am going to tell you yes. I did that for a while; when I got a challenge from someone I’d answer it in the affirmative. Eventually I got tired of it and sent all mail from @spamarrest.com to /dev/null.
Am I missing out on corresponding with some brilliant and wonderful people? Maybe. But from my perspective, 100% of the confirmation requests I receive from Spamarrest are spam. I’m just thankful that Spamarrest makes it easy to identify and throw away their requests so I don’t have to handle someone else’s spam load in addition to my own.
This is a long way to say I’m closing comments on the older Spamarrest post, so don’t bother telling me what a great spam filter it is. The same thing that makes it a great spam filter for you makes it a total source of spam for me.

Spam filters and mailbox usage

It’s no secret that I run very little in the way of spam filters, and what filters I do run don’t throw away mail, they just shove it into various mailboxes.
Looking at my mailboxes currently I have 11216 unread messages in my mail.app junk folder, 10600 unread messages in my work spam assassin folder and 29401 messages in my personal spam assassin folder (mail getting more than +7 on our version of spam assassin gets filtered into these folders). I went through and marked all of my messages read back in mid-January. That’s a little over 50,000 messages in a little over 5 months or slightly more than 2700 spams a week.
But these are messages I don’t have to deal with so while they’re somewhat annoying and a bit of “wow, my addresses are everywhere” they’re not a huge deal. I have strong enough filters for wanted mail that I can special case it.

The more things change

I was doing some research about the evolution of the this-is-spam button for a blog article. In the middle of it, I found an old NY Times report about spam from 2003.

It's about the spam

Tell someone they have hit a spamtrap and they go through a typical reaction cycle.
Denial: I didn’t hit a trap! I only send opt-in mail. There must be some mistake. I’m a legitimate company, not a spammer!
Anger: What do you mean that I can’t send mail until I’ve fixed the problem? There is no problem! You can’t stop me from mailing. I’m following the law. My mail is important. I’ll sue.
Bargaining: What if I just send mail to some recipients? What if I hire an email hygiene company to remove traps from my list?
Acceptance: What can I do to make sure the people I’m mailing actually want to be on my list?
Overall, my problem with the focus on spamtraps (and complaints to a lesser extent) is that these metrics are proxies. Spamtraps are a way to objectively monitor incoming email. Mail sent to spamtraps is, demonstrably, sent without permission of the address owner. This doesn’t mean all mail from the same source is spam, but there is proof at least some of the mail is spam.
If there is enough bad mail on that list, then reworking the subscription process may be necessary to fix delivery.

Spam is not a valid marketing strategy

This seems like an attempt to create the next big viral marketing campaign. It’s just spam, though, and not even good spam. There’s nothing about a random “click here” that will entice me to click on it.
Scammers? Spammers? Whoever Ryann Rasmussen at HighSpeedInternet is, she might want to rethink her marketing strategy. It looks more like an infection attempt than anything else.

I guess we can say that their mail made an impression, a very negative impression. There is no website at http://highspeedinternet.com. The whois record for highspeedinternet.com is behind domains by proxy. The mail violates CAN SPAM. The address was scraped off our website.
Not all spammers are dodgy Russians. Some spammers are from Utah.

Spam is not a moral judgement

Mention an email is spam to some senders and watch them dance around trying to explain all the ways they aren’t spammers. At some point, calling an email spam seems to have gone from a statement of fact into some sort of moral judgement on the sender. But calling an email spam is not a moral judgement. It’s just a statement of what a particular recipient thinks of an email.
There are lots of reasons mail can be blocked and not all those reasons are spam related. Sometimes it’s a policy based rejection. Mailbox providers publishing a DMARC record with a reject policy caused a lot of mail to bounce, but none of that was because that user (or that mailing list) was sending spam. Most cable companies prohibit customers from running mail servers on their cable connection and mail from those companies is widely rejected, but that doesn’t mean the mail is spam.
Sometimes a block is because some of the mail is being sent to people who didn’t ask for it or are complaining about it. This doesn’t make the sender a bad person. It doesn’t make the sending company bad. It just means that there is some issue with a part of the marketing program that need to be addressed.
The biggest problem I see is some senders get so invested in convincing receivers, delivery experts and filtering companies that they’re not spammers, that they miss actually fixing the problem. They are so worried that someone might think they’re spammers, they don’t actually listen to what’s being said by the blocking organization, or by their ISP or by their ESP.
Calling email spam isn’t a moral judgement. But, if too many people call a particular email spam, it’s going to be challenging to get that mail to the inbox. Instead of arguing with those people, and the filters that listen to them, a better use of time and energy is fixing the reasons people aren’t liking your email.

Get an email address, by any means possible

Neil has a post up about the “opt-in” form that we were all confronted with when logging into the hotel wifi at M3AAWG last week. They aren’t the only hotel asking for email addresses, I’ve seen other folks comment about how they were required to provide an email address AND opt-in to receive email offers before they were allowed onto the hotel network. Mind you, they’re paying the outrageous fees for hotel internet and still being told they must provide an email address.
The addresses given by people who wouldn’t opt-in willingly aren’t going to be worth anything. These are not people who want your mail, they’re only giving you an address because they’re being forced to do so.
I know it is so tempting for marketers to use any methods to get an email address from customers. I recently was dealing with a very poorly delivering list that looked purchased. There were clear typos, invalid domains, non-existent domains, the whole nine yards. Over 20% of the mail was bouncing and what did get delivered wasn’t going to the inbox. I was working through the problem with the ESP before they went to talk to the customer. To my eye, the list looked purchased. Most times lists just don’t look that bad when they are actually opt-in lists. The ESP insisted that the addresses were being collected at their brick and mortar stores at point of sale. I asked if the company was incentivizing address collection, but the ESP didn’t know.
Eventually, we discovered that the retailer in question had set performance indicators such that associates were expected to collect email addresses from 90% of their customers. No wonder the lists looked purchased. I have no doubt that the pressure to give an email address caused some customers to just make up random addresses on the fly. I also wouldn’t be surprised if some associates, after failing to meet the 90% goal, would just enter random addresses in “on behalf of” the customer.
Email is a great way to stay in touch with customers. It is an extremely cost effective and profitable way to market. The caveat is that customers have to want that mail. Coercing a customer to give you an address doesn’t make your marketing better. It just makes your delivery harder. That lowers your overall revenue and decreases profits.
Quantity is not the be all and end all of marketing. This company? They have a great email marketing program, but their address collection is so bad hardly anyone gets to see the mail in the inbox, even the people who would be happy to receive the mail.
For email delivery quality trumps quantity every time.

Massive new phishing run

It seems while the experts are meeting to figure out how to stop spam, the spammers are exploiting new ways to spam. This morning my mailbox had over 100 messages with either the subject “market report” or “eviction notice.” What headers I checked showed this was from a botnet, sent to dozens of addresses at my domains.

More on Newsmax and spam to political lists

Things are getting stranger and stranger with Newsmax and the politicians they’re managing lists for. Earlier this week, recipients on Scott Brown’s list received emails with the subject line “5 Signs You’ll Get Alzheimer’s Disease.” The advertisement was for products and information from Dr. Blaylock, a contributor to Newsmax Health. Scott Brown told the political reporter at WMUR in New Hampshire that he did not authorize this email was cutting ties with Newsmax
Newsmax contacted me after I posted about unexpected email to the Herman Cain mailing list. They wanted to make it clear to me that their mailings were all double opt-in and that they adhered to all best practices. They also said that select advertisers were allowed to put ads in the body of messages from the politician to their supporters.
It seems, though, that may not be the whole truth. After I received the message from Newsmax, I signed up on caintv.com to see if they really were using double opt-in. While it is very possible that Mr. Cain was using double opt-in during the campaign, he isn’t any longer. I started receiving emails immediately, with neither a welcome message or a confirmation message.
In the case of Scott Brown’s list, the advertisement wasn’t from an outside advertiser, the advertisement was for a Newsmax columnist. And the ad wasn’t in the body of a message to supporters, it was the message to supporters. Mr. Brown has this to say about his likeness and mailing list being used by Newsmax.

Repurposing addresses

Multiple news sources are reporting that Herman Cain, republican presidential hopeful from 2012. Maddow on Herman Cain’s new business model. Apparently, his email address list is for rent by just about anyone, including companies selling cures for erectile dysfunction.

First BACN, now SCRAPPLE

There is a lot of mail that goes out to recipients that’s not really spam, but isn’t fully wanted. To describe these different kinds of mail, people have invented pork-product related terminology. Ham and bacn are both used to describe wanted mail, although possibly not wanted right now.
Now we have SCRAPPLE. It seems over the weekend a number of members of the Science Fiction Writers Association received email from someone asking them to consider one of his writings for an award. Reading through the tweets, this person typed hundreds of email addresses out of the SFWA directory into their mail client. And then sent mail to that list.
Recipients of that mail then went to twitter to complain about abuse of their email addresses in this way. Being writers, they discussed what word that would describe “something like spam, but not really.”
@talkwordy came up with Scrapple. Now, for those of you who don’t live in a very small part of the mid-Atlantic region, you may not know what scrapple is. Scrapple is a loaf pork product made from, well, scraps of pig. It often has a weird greenish tinge to it, presumably from the liver. My grandmother, having grown up in that small part of the mid-Atlantic region, used to eat it when she could find it. Usually it was in small, country diners where the waitresses call you darlin’ or hun.
By the end of the discussion the definition of scrapple was: Unwanted email from a person you know, which is annoying but not completely irrelevant to your interests, often manual address list creation.
There you have it. Scrapple joins bacn, ham, spam, and spim to describe different kinds of email.

Holiday mailing advice from mailbox providers

Christine Borgia has a post on the Return Path blog where she interviews a number of different groups (spamfilters, DNSBLs, mailbox providers) about their filtering strategy for the holidays. Overall, no one changes their filtering during the Holiday Mailing Season. On the other hand, many marketers do change their marketing strategies in ways that trigger more filtering and blocking.
The take home message? Pay attention to what is being sent and who it is being sent to. This is nothing new, but many marketers seem to forget it in the effort to get into their customers’ inboxes.

Unsubscribing from spam, part 2

Yesterday I posted about why the reasons a lot of people give for not unsubscribing from spam are mostly wrong. Unsubscribing from spam doesn’t seem to confirm your address and it doesn’t seem to increase your spam load.
But does that mean you should unsubscribe from spam? I’m not sure about that.
I’ve been working on a project where I am unsubscribing from every message coming into one of my email addresses. Weeks into that process I’m not seeing a huge decrease in the amount of mail that address is receiving. In some cases I’m unsubscribing from the same senders multiple times a day and have been for close to 3 weeks.
While unsubscribing doesn’t increase your spam, I’m also not sure it decreases your spam, either. But I’ll have full data and numbers demonstrating that in a few more weeks.
What can have an effect on the amount of spam you get is complaining about spam, at least according to Brian Krebs.

Can someone explain to me…

What this disclaimer means?

You are receiving this email because you have a customer relationship or have opted-in to an email list managed by the Emailing Entity listed below. This email was not sent to you by the company or website identified in the offer above, for which we have a separate business relationship. We have represented to such company or website that we have the affirmative right to email you with an offer on their behalf.
Read More

Payday loan mail

Mickey has a great story of what happened when he gave a lead gen company his email address. Over 200 emails in 2 weeks from companies that seem unrelated to the signup company.
It’s this behavior by PayDay senders that causes their mail to be filtered and has caused many, many ESPs just to prohibit that kind of mail on their systems. It’s very much the ugly underbelly of email marketing.

What happens when you apply for a PayDay loan

From NPR.
I’ve had clients over the years who were email marketing agencies selling leads to lenders. Their delivery is horrible, even when they’re doing all the “right things” for email. I’ve come to the conclusion that PayDay lenders are a lot like lawyers: “95% of them give the rest a bad name.”
PayDay loans are the one area where content trumps everything else, and so much of the content out there is bad, it can ruin delivery for everything. The NPR article speaks to why that is.

This month in email: October 2013

What did we talk about in October? Let’s take a look back over this month.

The DMA responds

Stephanie Miller has posted over on the DMA blog explaining just what went down with the mailing that got the DMA SBLed over the weekend.
Ken Magill has a pair of articles about the email from the DMA. Oops: DMA spams Spamhaus and others and What we can learn from the DMA.

Posts and articles about the DMA spamming

The DMA kicks spam up a notch
The DMA: Spamming Job Services to a Purchased List
The DMA Spams A Bunch of Anti-spammers
The DMA sends e-mail that’s memorable, but not in a good way

What not to do when buying lists

Saturday morning I check my mail and notice multiple emails from the DMA. Yes, I got three copies of an email from the US Direct Marketing Association with the subject line Kick It Up A Notch With The DMA Career Center. It seems the DMA are buying addresses from various companies. Because I use tagged email addresses, this means their naive de-duping doesn’t realize that laura-x and laura-y are the same email address. Of course, they’ve also managed to send to an untagged email address, too. I have no idea where they got that particular address; I’m sure I’ve never handed that address over to the DMA for any reason.
Saturday afternoon, I check one of the professional filtering / anti-spam mailing list. Some subscribers are asking for copies of spam from 97.107.23.191 to .194. They’d seen a lot of mail to non-existent email addresses from that range and were looking to see what was going on and who was sending such bad mail. Multiple people on the list popped up with examples of the DMA mail.
Sunday morning, I checked the discussions wherein I discovered the DMA was added to the SBL (SBL 202218, SBL 202217, SBL 202216). It seems not only did they hit over a hundred Spamhaus spamtraps, they spammed Steve Linford himself.

Is it real or is it spam?

The wanted but unexpected email is one of the major challenges facing ISPs and filter developers. If there was never any need or desire for people to receive email from someone they don’t know, then mail clients could be locked down to only accept mail from addresses on a whitelist. It wouldn’t completely solve the spam problem, for a number of reasons, but it would lessen the problem, particularly for average email users.
But, we don’t live in a world where we know beforehand who will be sending us mail, so we can’t just whitelist correspondents and reject everything else. I think this is a good thing. Email can be used to meet new people, develop new relationships and introduce new opportunities.
While the “cold call” email isn’t much talked about I think it’s worth some discussion. What makes a good cold email? What makes a bad one? We can use two recent emails I received as examples.
Example 1:

No, I'm really not Christine

Got this to one of my accounts recently.

Congratulations and welcome to emailinform.

Delivery is about helping you succeed

I was talking with another delivery person today who’s dealing with a customer struggling with some issues. As most of these discussions go, we get to the part where we have to tell the customer that what they’re doing looks problematic from the outside. And then the customer gets all upset and angry and starts complaining to account reps or managers or executives.
The challenge of delivery is working with clients who don’t want to hear they have to change what they’re doing. Some senders deflect better than a 3 year old caught with her hand in the cookie jar.
I think all of us in the delivery space, or at least most of us, want our customers and clients to succeed in their email goals. We want you to have a great mailing program. But when your delivery is having problems, getting to a great mailing program means doing something differently.
These changes can be hard, both in terms of thinking differently about email and how it works and about business models. Some business models make it extremely difficult to use emails. We understand that. We don’t make the rules, we just explain them.
We want your mail to work.

Spam illustrated

Portraits of Spammers
It’s been a long week, so enjoy some art (and spam). Next week we’ll get back to discussing the many faults of Gmail. And senders. And receivers. And, well, everyone has faults. And email is Dead. Tabs killed it.

Spamhaus answers marketer questions

A few months ago, Ken Magill asked marketers, including the folks at Only Influencers to provide him with questions to pass along to Spamhaus. Spamhaus answered the first set in March, but then were hit with the Stophaus attack and put answering further questions on hold. Last week, they provided a second set of answers and this week they provided a third.
Nothing in there is surprising, but it’s worth folks heading over and reading.
There are a couple useful things that I think are worth highlighting.
When discussing spamtraps and how Spamhaus handles the traps.

A new twist on confirmation

I got multiple copies of a request to “confirm my email address” recently. What’s interesting is the text surrounding the confirmation request.

Feedback from recipients

Please Don’t Add Me to Your Email List
Email marketing wisdom from Forbes and someone who spends a lot of time networking and handing out business cards.

Papa John's settles texting suit

Last year a class action law suit was filed against Papa John’s for violation of the Telephone Consumer Protection Act (TCPA) for texts received by Papa John’s customers. Customers allege they never opted in to receive promotional text from the company. Papa John’s claim that they didn’t send the marketing, but instead was sent by third party contractors.
A blog post on lawyers.com says that Papa John’s settled the case for $16.5 million.

Just… make it stop

It used to be when I’d send in a complaint to an ESP, I’d want them to take it seriously. To actually fix their customer problems. To stop their customers from spamming. To fix the broken process that resulted in their customer thinking I asked for email.
These days? These days I just want the ESP to suppress my address and make the mail stop. Even better would be suppressing the address from their entire customer base – the only addresses I send in complaints for these days are traps.
Sadly, there are ESPs out there that can’t manage to stop customers from spamming people who have reported the spam. But, I am forever the optimist and keep sending the complaints when I think someone will care.

TWSD: avoid filters

I was cleaning out one of my spamtraps. This is the one that gets a ton of “legitimate” spam. In the last 12 hours it’s gotten spam advertising: T.G.I.Fridays, KFC, Applebees, LendingTree, Lasix Vision Institute, Khols, Burger King, Match.com, and Vistaprint.
The footer of some of the mails are making me laugh, though. It’s clear they’re trying to comply with CAN SPAM, but are having problems with content filtering. Here’s a brief selection of the footers:
Ondemand Research, 1O5 E.[34th]-Street Ste 144, New Y0rk, NY 1OO16
Ondemand Research, 105 E. 34th Street St #144, New York, NY 10016
0ndemand=Research, 1O5/E/./34th Street Ste 144,New Y0rk,NY=1OO16
Poor OnDemand Research, they just can’t catch a break.
EDIT: Just got a spam for Ruby Tuesday’s using a .pw domain.

DKIM and DomainKeys, Spam and Ham

I’ve been preaching “DKIM is great! DomainKeys is obsolete, get rid of it!” for several years now. I thought I’d take a look at my mailbox and see who was using authentication.
I’ve divided this into “Ham” and “Spam”. Spam is, well, all the spam I’ve received over the past couple of years. Ham is the non-spam mail in my inbox, whether personal, business, bulk or transactional. I’ve excluded most of the discussion mailing lists I’m on (not least because many of them consist of people in the email industry or are email standards development mailing lists, so have email authentication levels that are way outside the norm).

If you want to spam, don't be stupid

Some random UK email marketing company that I’ve never heard of harvested my address off of LinkedIn (yes, it’s my LinkedIn specific address) and is now spamming me advertising their cheap email marketing services. There were a lot of things about this particular mail that really annoyed me. The annoyance wasn’t just spam in a folder that shouldn’t have spam, it’s that the spam itself was badly done.
The thing is, they could have done this in a way that didn’t annoy me enough to blog about them being spammers. A teeny, tiny amount of effort and an ounce of empathy for their recipients and I wouldn’t have anything to blog about today.
If you want to spam, don’t be stupid. How can you avoid being stupid?
1) Send only one email and make it clear in the message this is a one time (or limited time) email. Don’t just randomly harvest addresses off a website, like Submission Technology did today, and add all those addresses to your marketing list. Spam is an interruption and an annoyance. And if spammers had any sense they’d limit the amount of time they spent annoying and interrupting recipients.
2) Target your email correctly and don’t be lazy. This morning’s mail from Submission Technology was advertising their UK specific marketing programs. They have my LinkedIn profile, they know I’m on the other side of the US from the UK.
3) Don’t lie about where you got my name. In this case, I know Submission Technology harvested it off LinkedIn because that’s the address they are sending it to. And, in fact, in the email they sent they mention they are sending this to me because we’re connected on LinkedIn. The problem is, I can find no trace of a connection between us on LinkedIn. And, yes, I did look because I generally drop connections that add me to their mailing lists.
One part of my anger at this particular spam is that they’ve appropriated a tagged email address of mine and added it to their marketing lists. That’s breaking my filtering.
After doing a little research into their company and their practices, though, I have to wonder if they’re going to sell my address. It seems that Submission Technology sells addresses to their customers, among other product offerings. Is this address that I’ve dedicated to handling LinkedIn specific emails really now going to end up getting spam from UK companies?
Based on multiple online reports (Andy Merrett and Ben Park) it doesn’t even look like unsubscribing will be sufficient to get this mail to stop.
One of the most amusing bits links that showed up was a comment on a post here from 2008. It seems that they spammed Steve Linford and were SBLed for it. I’m only guessing that since they’re not still listed they’ve figured out how to suppress Steve’s address at least.
Sending unsolicited email can be a problem for bulk senders; you risk alienating your potential customers, getting blocked and developing a poor reputation. Some of those problems can be mitigated by not being stupid.

Do you have an abuse@ address?

I’ve mentioned multiple times before that I really don’t like using personal contacts until and unless the published or official channels fail. I don’t hold this opinion just about resolving delivery issues, but also use official channels when reporting spam to one of my addresses or spam traps.
My usual complaints contain a plain text copy of the mail, including full headers and a short summary of the email address it was sent to. “This is an address that was part of a leak from…” or “This is an address scraped off my website. It’s been removed from the website since 2004” or “This address isn’t used to sign up for any mail.”
Sadly, there are a number of “legitimate” ESPs that don’t have or don’t monitor their abuse address. In some cases it’s an oversight or a break down of internal mail handling. But in most cases, it’s a sign that the ESP doesn’t actually handle abuse.
It’s frustrating to watch an ESP post long blog posts about “best practices” and “effective delivery” and “not spamming” and yet not be able to actually stop their own customers from spamming. It’s not even that I necessarily want them to disconnect their spamming customers (although that would be nice) but suppressing the address that I’ve told them was a spamtrap seems trivial. And yet, a month after my first complaint and weeks after escalating to a personal contact, I’m still getting spam.
The 5 things every ESP should do to handle spam complaints.

Goodbye Mr. Ebert

The Chicago Sun Times announced earlier today that Roger Ebert passed away today. Mr. Ebert was a legendary film critic, who hosted multiple shows over the last few decades.
His influence wasn’t just in the film arena, though. Mr. Ebert was an active participant online. In fact it was Roger Ebert, in 1996 at the Conference of World Affairs in Boulder Colorado, that coined “The Boulder Pledge.”

Some content is just bad; but it doesn't have to be

There are a few segments in the marketing industry that seem to acquire senders with bad mailing practices. Nutraceuticals, male performance enhancing drugs, short term or payday loans and gambling have a lot of senders that treat permission as optional. The content and the industry themselves have garnered a bad reputation.
This makes these industries extremely difficult for mailers who actually have permission to send that content to their recipients. Working with this kind of sender, sometimes it seems impossible to get mail delivered to the inbox, no matter what the level of permission. Even when it’s double confirmed opt-in with a cherry on top, all the care in the world with permission isn’t enough to get inbox delivery.
This doesn’t have to be the case. Look at the porn industry. Early on in the email marketing arena there was a lot of unsolicited image porn. A Lot. So much that complaints by recipients drove many ISPs to disable image loading by default. The legitimate porn companies, though, decided unsolicited image porn was bad for the industry as a whole. Porn marketers and mailers adopted fairly strong permission and email address verification standards.
It was important for the porn marketers that they be able to prove that the person they were mailing actually requested the email. The porn marketers took permission seriously and very few companies actually send photographic porn spam these days. Even the “Russian girls” spam doesn’t have not safe for work images any longer.
Because of their focus on permission, in some cases revolving around age of consent in various jurisdictions, the porn industry as a whole is not looked at as “a bunch of spammers.” Porn content isn’t treated as harshly as “your[sic] pre-approved for a wire transfer” or “best quality drugs shipped overnight.”
Just having offensive content isn’t going to get you blocked. But having content that is shared by many other companies who don’t care about permission, will cause delivery headache after delivery headache. This is true even when you are the One Clean Sender in the bunch.

Bad Neighborhoods on the Internet

Of the 42,000 Internet Service Providers (ISPs) surveyed, just 20 were found to be responsible for nearly half of all the internet addresses that send spam.

Filtering is not just about spam

A lot of filters started out just as filters against spam. But over the years they’ve morphed into more general blocks against dangerous or problematic email. There’s a lot of crime and bad behavior on the internet, much of it using email as a conduit or vector. Filtering is so much more than stopping spam now. It’s as much, or more, about stopping crime.
Email filters are essential to protect us from scammers. Sometimes I forget this, and then I read about a grandmother getting swindled by a Nigerian scammer and ending up dead.
There are real consequences to poor filtering and there is real crime facilitated by email. It’s easy to forget this as we deal with the email that gets caught in filters when they shouldn’t.
Filters are one of the first lines of defense against online crime.
Not only does filtering stop crime, but they also keep email working. An unfiltered mail stream is an ugly, unreadable, unworkable mess.

Spamming to hide fraud

An interesting article at NetworkWorld last month, describing spam bombs to victims of fraud and identity theft to hide the transactions and notifications from financial institutions.

They really think we're stupid

Mini Cooper and their email oops

I haven’t been able to track down any information about what happened, but it seems MINI USA had a major oops in their email marketing recently. So much so that they’re sending out apologies by snail mail. Pictures of the apology package appeared on Reddit earlier this week, and include a chocolate rose, some duct tape and a SPAM can stress reliever.
It’s a great example of a win-back campaign that really focuses on the recipients rather than the sender.

Spammers are funny

Dear Spammer,
If you are going to send me an email that claims it complies with the Federal CAN SPAM act of 2003, it would be helpful if the mail actually complies with CAN SPAM.
In this case, however, you are sending to an address you’ve harvested off my website. The mail you are sending does not contain a physical postal email address. You’re also forging headers. Both of those things are violations of CAN SPAM. Given you have also harvested the laura-questions@ email from this website, that is treble damages.
Oh, and while we’re at it, you might want to consider your current disclaimer.

Harvesting and forging email addresses

For the contact address on our website, Steve has set up a rotating set of addresses. This is to minimize the amount of spam we have to deal with coming from address harvesters. This has worked quite well. In fact it works so well I didn’t expect that publishing an email address for taking reader questions would generate a lot of spam.
Boy, was I wrong. That address has been on the website less than a month and I’m already getting lots of spam to it. Most of it is business related spam, but there’s a couple things that make me think that someone has been signing that address up to mailing lists.
One is the confirmation email I received from Yelp. I don’t actually believe Yelp harvested my address and tried to create me an email account. I was happy when I got the first mail from Yelp. It said “click here to confirm your account.” Yay! Yelp is actually using confirmations so I just have to ignore the mail and that will all go away.
At least I was happy about it, until I started getting Yelp newsletters to that address.
Yelp gets half a star for attempting to do COI, but loses half for sending newsletters to people who didn’t confirm their account.
I really didn’t believe that people would grab a clearly tagged address off the blog and subscribe it to mailing lists or networking sites. I simply didn’t believe this happened anymore. I know forge subscribing used to be common, but it does appear that someone forge signed me up for a Yelp account. Clearly there are more dumb idiots out there than I thought.
Of course, it’s not just malicious people signing the address up to lists. There are also spammers harvesting directly off the website.
I did expect that there would be some harvesting going on and that I would get spam to the address. I am very surprised at the volume and type of spam, though. I’m getting a lot of chinese language spam, a lot of “join our business organization” spam and mail claiming I subscribed to receive their offers.
Surprisingly, much of the spam to this address violates CAN SPAM in some way shape or form. And I can prove harvesting, which would net treble damages if I had the time or inclination to sue.
It’s been an interesting experience, putting an unfiltered address on the website. Unfortunately, I am at risk of losing your questions because of the amount of spam coming in. I don’t think I’ve missed any, yet, but losing real mail is always a risk when an address gets a lot of spam – whether or not the recipient runs filters.
I’m still pondering solutions, but for now the questions address will remain as it is.

Harvesting is alive and well

I’m finding out that email address harvesting off websites is alive and well on the Internet. We have a rotating address on the contact page, which does get harvested but usually the spam is attempting to sell me blog related services. I didn’t expect to get a very different collection of emails to the address I posted here. I’m quite surprised that address is getting a completely different type of spam from the contact address.
The one thing that harvesters appear to have in common is sending CAN SPAM violating email. Both the contact address and the questions address get lots of mail that is in violation of US (and California) law. One of these days I might get bored enough to file a suit against one of them and blog about it.

Let them go!

Unsubscribing should be so simple. Even if someone signed up for mail, senders should let them go when they unsubscribe. Unfortunately, there are a lot of senders that make it difficult to unsubscribe. In fact, many companies are still hiding unsubscribe links behind login pages.

Just Block It

I tend to go back and forth about reporting spam these days. On one level I know that it’s all a numbers game, and policy enforcement is more about the quantity of complaints than the quality. Knowing this I don’t often send in complaints. I do make a few exceptions: when I know the policy enforcement team or when it’s a current or former client.

Equivocating about spamtraps

What is a spamtrap? According to a post I saw on Twitter:

Dr. Livingston, I presume?

I linked to Al’s post about misdirected emails and how annoying it is for people who receive emails. I’ve previously talked about the problems associated with not handling misdirected emails properly.
It’s really annoying getting email that you never signed up for. For instance, one of my email addresses gets quite a bit of misdirected email. Oddly enough, much of this mail comes addressed to “Mrs. Christine Stelfox” and advertises various services. The problem is, I’m not Mrs. Christine Stelfox and I don’t live in the UK.
I’ve been getting this misdirected email for a while. In fact, I’ve even tried to track down the source of this just to make it stop. But I can’t seem to get that to happen. The senders tell me simply that I opted in, and that if I want to opt-out, here’s a link. Sometimes I have more luck contacting ESPs, but not always.
In fact, recently I reported spam to Mrs. Stelfox to a European based ESP. I got a response from their delivery head, who asked a lot of questions about the email address. What kind of spamtrap was it? How long had I had it? Is it possible it’s a recycled address? It’s really not, though. It’s an address I’ve had since early 1994, and it’s not really a trap as I still actually use if for some me. But I’ve not used it for commercial email since sometime in the late ’90s. And I’ve certainly never claimed to be a Mrs. Stelfox.
This really isn’t a case where I forgot I signed up. This isn’t a case where someone had the address before me. This is either some confused person using my address or some company in the UK selling my email address as belonging to someone else. I’ve tried to track this down in the past to get off the list of whomever is selling this address. But I’ve never had any luck.
There isn’t a lot of recourse here. I can continue to unsubscribe the addresses, but that doesn’t resolve the underlying problem. The underlying problem is that many marketers think it’s acceptable to purchase (or append) email addresses with no regard for the fact that sometimes their data suppliers are wrong.
It’s not just this one address, either. Another one of my email addresses is being sold as “Mrs. Laura Corbishley” of the UK as well. Sometimes I get the same spam to Mrs. Christine Stelfox and Mrs. Laura Corbishley. Other times I get different spams to each address, possibly because Mrs. Stelfox is behind some commercial email filters and Mrs. Corbishley isn’t.
Misdirected emails are annoying. They’re a problem for the people who keep getting them and can’t make them stop. It’s really important that ESPs, companies that send email and companies that sell email addresses have some way to make that mail stop. It doesn’t matter that half a dozen ESPs have put Mrs. Stelfox in their suppression list. Senders are still purchasing that data and are wasting their money. I am still getting spam.

Misdirected email

Al has another post about another company sending mail to a customer that gave an email address that didn’t belong to them. The person receiving the misdirected email has no effective way to make it stop, and is getting more and more frustrated with the ongoing spam. (Consumerist article)

Spamming the wrong person

Chris from Cloudmark tracks a UK text spammer.

Now, in a new paper in the Journal of Economic Perspectives, Justin Rao of Microsoft and David Reiley of Google (who met working at Yahoo) have teamed up to estimate the cost of spam to society relative to its worldwide revenues. The societal price tag comes to $20 billion. The revenue? A mere $200 million. As they note, that means that the “‘externality ratio’ of external costs to internal benefits for spam is around 100:1. Spammers are dumping a lot on society and reaping fairly little in return.” In case it’s not clear, this is a suboptimal situation. The Atlantic
Read More

Services, abuse and bears

A couple weeks ago I wrote a post about handling abuse complaints. As a bit of a throwaway I mentioned that new companies don’t always think about how their service can be abused before releasing it on the unsuspecting internet.
Today’s blog post by Margot Romary at the Return Path In the Know blog reminds me that it’s not always new companies that don’t think about abuse potential before launching services.

Working as intended

There’s a certain type of sender that thinks every ISP block or email delivered to the bulk folder is a false positive. They’re so sure that the filters aren’t actually supposed to catch their mail that they’ll spend any amount of money and do every possible thing to get their mail to the inbox.
The problem for these senders, though, is that their mail is exactly the type of mail filters are designed to catch. They’re sending mail without recipient permission. I’m not talking about the lists that get a few typos or problem addresses on them. I’m talking about senders that buy and trade mailing lists. I’m talking about senders that don’t believe they have to have permission to send mail.
This mail getting filtered is a sign that the filters are working as intended. They’re keeping the unsolicited email out.
A lot of us take for granted that all commercial mail, at least that isn’t selling fake watches or herbal viagra, is always sent with permission. But there’s an awful lot of mail out there that doesn’t even have a minor fig leaf of permission. Filters stop that mail. And senders have very little recourse when they do.

Scam, Scam, Scam

One of the things that never ceases to amaze me about phishers is how incredibly creative they can be in writing text that encourages recipients to open their emails.
There have been two separate incident recently that inspired me to talk about phishing.
The first was watching viruses propagate through my local neighborhood mailing list. I live in Silicon Valley and we do have an email list for neighbors to talk, plan and generally share information. Last week one of the neighbors got infected with a virus, and their address started posting links to more viruses to the list. Over the weekend I watched half a dozen neighbors get infected and post more viruses to the list.
The second is the dozens of messages I’ve been receiving telling me there are naked photos of me on the Internet. They have a couple different forms. Some pretend to be concerned friends worried that my private photos have leaked. Others threaten legal action or that the police are investigating me. Still others tell me I’ve ruined a friendship by sharing these photos.
None of those things are true, of course. They’re all trying to get me to open a file and infect my machine with some virus or another.

World IPv6 launch day

Today is world IPv6 launch day. A group of ISPs, network hardware manufacturers and web companies permanently enabled IPv6 for their products and services.
What’s this got to do with email? According to a post on the NANOG mailing list the very first email to arrive at the Comcast IPv6 mailserver was received a minute after the server was turned on. This email was spam and was caught by Cloudmark’s filters.
Comcast goes on to assure readers that more mail came in and not all of it was spam.
But, yes, the first email sent to Comcast over IPv6 was spam. Welcome to the future.

Things people hate about your email marketing

I found this article over on Hubspot, and I think it covers a lot of why people hate email marketing quite well.

Return Path on Content Filtering

Return Path have an interesting post up about content filtering. I like the model of 3 different kinds of filters, in fact it’s one I’ve been using with clients for over 18 months. Spamfiltering isn’t really about one number or one filter result, it’s a complex interaction of lots of different heuristics designed to answer the question: do recipients want this kind of mail?

Things Spammers Do

Much like every other day, I got some spam today. Here’s a lightly edited copy of it.
Let’s go through it and see what they did that makes it clear that it’s spam, which companies helped them out, and what you should avoid doing to avoid looking like these spammers…

Data Cleansing part 2

In an effort to get a blog post out yesterday before yet another doctor’s appointment I did not do nearly enough research on the company I mentioned selling list cleansing data. As Al correctly pointed out in the comments they are currently listed on the SBL. And when I actually did the research I should have done it was clear this company has a long term history of sending unsolicited email.
Poor research and a quickly written blog post led to me endorsing a company that I absolutely shouldn’t have. And I do apologize for that.
With all that being said, Justin had a great question in the comments of yesterday’s post about data cleansing.

You opted in

One thing I get in some of the comments here and in some of the discussions I have with email senders is that no commercial emailer ever sends unsolicited email. That, clearly, at some point the recipient opted in to receive mail and if that person doesn’t want mail they shouldn’t ever give out their email address.
I have an old yahoo address that’s used primarily as my Flickr account login. I don’t believe I’ve ever given out the address to anyone or opted in to anything. Anything’s possible, this address was created sometime in 2006 or 2007 and I may have tossed it into a form to test something. It’s certainly not an address I ever actually use.
Earlier this week I checked mail on the account. There were almost 700 messages in there. It was pretty amazing how much garbage this unused, unshared address collected. Notice the “clever” use of foreign alphabets and the number of legitimate companies who have acquired this address or hired people to mail me on their behalf. I’m sure some of it is phishing, too.

Hunting the Human Representative

Yesterday’s post was inspired by a number of questions I’ve fielded recently from people in the email industry. Some were clients, some were colleagues on mailing lists, but in most cases they’d found a delivery issue that they couldn’t solve and were looking for the elusive Human Representative of an ISP.
There was a time when having a contact inside an ISP was almost required to have good delivery. ISPs didn’t have very transparent systems and SMTP rejection messages weren’t very helpful to a sender. Only a very few ISPs even had postmaster pages, and the information there wasn’t always helpful.
More recently that’s changed. It’s no longer required to have a good relationship at the ISPs to get inbox delivery. I can point to a number of reasons this is the case.
ISPs have figured out that providing postmaster pages and more information in rejection messages lowers the cost of dealing with senders. As the economy has struggled ISPs have had to cut back on staff, much like every other business out there. Supporting senders turned into a money and personnel sink that they just couldn’t afford any longer.
Another big issue is the improvement in filters and processing power. Filters that relied on IP addresses and IP reputation did so for mostly technical reasons. IP addresses are the one thing that spammers couldn’t forge (mostly) and checking them could be done quickly so as not to bottleneck mail delivery. But modern fast processors allow more complex information analysis in short periods of time. Not only does this mean more granular filters, but filters can also be more dynamic. Filters block mail, but also self resolve in some set period of time. People don’t need to babysit the filters because if sender behaviour improves, then the filters automatically notice and fall off.
Then we have authentication and the protocols now being layered on top of that. This is a technology that is benefiting everyone, but has been strongly influenced by the ISPs and employees of the ISPs. This permits ISPs to filter on more than just IP reputation, but to include specific domain reputations as well.
Another factor in the removal of the human is that there are a lot of dishonest people out there. Some of those dishonest people send mail. Some of them even found contacts inside the ISPs. Yes, there are some bad people who lied and cheated their way into filtering exceptions. These people were bad enough and caused enough problems for the ISPs and the ISP employees who were lied to that systems started to have fewer and fewer places a human could override the automatic decisions.
All of this contributes to the fact that the Human Representative is becoming a more and more elusive target. In a way that’s good, though; it levels the playing field and doesn’t give con artists and scammers better access to the inbox than honest people. It means that smaller senders have a chance to get mail to the inbox, and it means that fewer people have to make judgement calls about the filters and what mail is worthy or not. All mail is subject to the same conditions.
The Human Representative is endangered. And I think this is a good thing for email.

First step in delivery

Ever trawl through your logs and notice that there is a delivery problem somewhere? I’m sure everyone sending email in any volume has.
What’s the first thing you do when you discover a block?

Inbox rates and conversion rates

Jeanne Jennings published an interesting bit of research on open rates and inbox rates at ClickZ recently. Essentially she looked at two different industry studies and compared their results.
The first study was the Return Path Global Delivery Survey and the second was the Epsilon North American Trend Results. What Jeanne found is that while Return Path shows a decrease in inbox placement, Epsilon is seeing an increase in average open rate.

There are any number of reasons this could be happening, including simply different ways the numbers are calculated. I am not sure it’s just a numbers issue, though. Many of Epsilon’s clients are very big companies with a very experienced marketing team. The Return Path data is across their whole user base, which is a much broader range of marketers at different levels of sophistication.
I expect that the Epsilon data is a subset of the Return Path data, and a subset at the high end at that. It does hint, though, that when the inbox is less cluttered, recipients are more likely to open the commercial mail that does get in there.

Best Practices: your mileage may vary

YMMV. One of those abbreviations us old folks used ages ago before email had pictures and the closest we had to social networking was USENET and social gaming was in the form of MUDs. I rarely see it used any more. In a lot of ways that’s a sad thing. It was a very useful abbreviation. Using it at the end of a post full of advice was a sign that the author was providing information but knew that different situations may require different solutions. It acknowledged that what might be the best practice in one form may not be the best for another.
It’s not just the usage that seems to have declined, there seem to be a lot more people who just want to share The Answer! and not acknowledge their experience may not be universal. This seems particularly rampant in email marketing, at least to me (YMMV).
I’ve talked before about how I don’t believe there are any universal best practices for email.
Let’s be honest, the experience of a well known national retailer buying, or appending email addresses is not going to be the same as a local business doing the same thing. The national retailer acquiring email addresses and sending well targeted mail to their purchasers probably won’t cause too many delivery problems, and will generate revenue. The local pizza place probably won’t be so lucky.
A number of marketers have complained that they all too often hear “it depends” when they ask a question about email. But how well a particular email campaign perform does depend. Success depends on the audience and the offer. But more than just the specific offer, success also depends on how well known the brand is and what their real world reputation with customers is.
Customers are a lot more likely to give brands the benefit of the doubt if they like the product. That means poor practices don’t always result in poor results. It also means other companies may not have the same success with poor practices.
Your Mileage May Vary.

Gmail and the bulk folder

Earlier this week Gmail announced they were providing reasons for why they delivered a particular mail to the bulk folder. I’m sure a lot of senders are rejoicing over the clear feedback. After all this is exactly what they’ve been asking for “tell us why you’re filtering our mail and we’ll fix it.”
I am not sure, however, that this is going to help the majority of senders seeing mail going to the bulk folder. On the Gmail support pages, they list a number of the explanations they’re be providing.

Why complain now?

There’s a concert promoter in London that’s been spamming me for years and years. Most of the time my spam filters take care of it and I never see their mail. Every once in a while, though, one of emails gets through and ends up in my inbox. Usually I move it to junk, curse at my filters for not getting it right and just go on with whatever I’m doing.
I suspect this is more common than not with most people. Those lucky enough to have a “this is spam” button can make the mail stop by clicking it. Others, like me, just have to delete it and move on.
Sometimes, though, I get to the point where I’ve had enough. I’ll send in a complaint to the sender or their provider.
I have to wonder, though, how many people react to email negatively and hit “this is spam” when they’ve been ignoring mail for a while. This can complicate the lives of senders (what doesn’t?) because the “this is spam” isn’t in reaction to a specific email, but happens due to circumstances outside of the sender’s control.
Delivery is an ever changing field, and it’s just getting more complex and harder as receiver tools get more sophisticated.

Less can be more and more can be more

The Wall Street Journal reports that some large retailers are scaling back their email marketing. Benefits of sending less mail include higher open rates, lower unsubscribe rates and an increase in sales.

Browsers, security and paranoia

MAAWG is coming up and lots of us are working on documents, and presentations. One of the recent discussions is what kind of security recommendations, if any, should we be making. I posted a list of things including “Don’t browse the web with a machine running Windows.”
Another participant told me he thought my recommendation to not use a windows machine to browse the web was over the top and paranoid. It may be, but drive by malware attacks are increasing. Visiting big sites may not be enough to protect you, as hackers are compromising sites and installing malware to infect visitors to those sites. Some ad networks have also been used to spread malware.
Criminals have even figured out how to install malware on a machine from email, without the recipient having to click or open attachments.
Avoiding the internet from a machine running Windows is a security recommendation I don’t expect many people to follow, but I do not think security and anti-virus software is enough to protect people from all of the exploits out there.
Of course, there are a lot of reasons that one might be forced to use a particular browser or operating system. For instance, I was on the phone with my bank just today to ask if they supported Safari. They say they do, but there are some things that just don’t work. The customer service rep said that they recommend Internet Explorer to all their users. She then suggested I switch browsers. No thanks, I’ll deal with the broken website.
Compromises are a major threat, and criminals are spending a lot of time and money on creating ways to get past current security. No longer is “not clicking on malware” enough to protect users. When a security clearinghouse is compromised and used as a vector for a targeted attack against Google, none of us are safe. When a security company is compromised, none of us are safe.
I realize my recommendation to avoid browsing the web on a Windows based machine is more wishful thinking than practical. I also know that other browsers and operating systems will be targeted if enough people move away from currently vulnerable operating systems. And I know that a simple, offhand suggestion won’t fix the problem.
As someone who’s been online long enough to see the original Green Card spam I know that online dangers evolve. But I can’t help thinking that most of us aren’t taking the current threats seriously enough.

Spamming ESPs: the followup

Campaign Monitor contacted me about yesterday’s post. The phrasing I picked out of the spammers AUP matched their AUP quite closely. In fact, if you plug the AUP into Google, Campaign Monitor comes up as one of the first hits.
It was not Campaign Monitor I was talking about. In fact, the ESP I received the mail from is not on the first 8 pages of Google hits for the phrases I posted.
A similar thing happened when I posted about Dell spamming me. Dell has multiple ESPs, and one of their ESPs contacted me directly in case they were the ones Dell was spamming through. It was no surprise to me that they weren’t the ESP involved.
This is what good ESPs do. Good ESPs monitor their reputation and monitor what people are saying about them. Good ESPs notice when people claim they’re being spammed and effectively reach out to the complainers so they can investigate the claim.
Good ESPs don’t just rely on the complaint numbers to take action. They keep an eye out on social networks to see who might be receiving mail they never asked for.

Spamming ESPs

In my mailbox there is a definite uptick in spam from ESPs advertising their services.
Today’s email was from a company that has the following in their anti-spam policy:

Court rules blogger is not a journalist

Last week a federal judge ruled a blogger, Crystal Cox, was not a journalist and not subject to first amendment protections. I haven’t been following the case very closely, but was a little concerned about the precedent and the liability for people like me who blog.
Reading some of the articles on the case, though, I’m less worried. This isn’t a blogger making some statements. Instead, Ms. Cox acted more like a stalker and harasser than a reporter. The judge even concluded that had she been granted protection as a journalist it was unlikely she could prevail as there was little factual basis for her statements.
Others have done better summaries of the case and the effect and I encourage everyone to read them.
Seattle Weekly
New York Times
Ars Technica
Forbes

I also discourage folks from applying this ruling to all bloggers. It’s not clear she was doing anything journalistic. I did find it interesting that some of her techniques to ruin the lawyer’s search results were defined as Search Engine Optimization. I’ve long thought SEO was akin to spam: say something often enough in enough places and you start to dominate the conversation. Not because you have anything useful to say, but because no one can get an idea in otherwise.

Yahoo awarded $610 million

The Federal district court in New York awarded Yahoo $610 million dollars in a suit they filed in 2008.

IP reputation and the bulk folder

I’ve spent much of today talking to various people about IP reputation and bulk foldering. It’s an interesting topic, and one that has changed quite a bit in the past few months. Here are a few of the things I said on the topic.
Generally IPs that the ISP has not seen traffic from before starts out with a slight negative reputation. If you think about all the new IPs that an ISP will see mail from on a daily basis, 99 out of 100 of those will be bot infected windows boxes. So they’re going to treat that mail very suspiciously. And, in the grand scheme of things, that mail is going to be spam a lot more than it’s not going to be spam.
Some ISPs put mail in the inbox and bulk foldering during the whitelisting process. Basically they’re looking to see if your recipients care enough about your mail to look for it in the bulk folder. This then feeds back to create the reputation of the IP address. There is another fairly major ISP that told me that when they’re seeing erratic data for an particular sender they will put some mail in bulk and some mail in the inbox and let the recipients tell the system which is more correct.
That’s what happens while you’re establishing a reputation on an IP. Once there is some history on the IP, things get a little different. At that point, IP reputation becomes unimportant in terms of bulk foldering. The ISP knows an IP has a certain level of reputation, and *all* their mail has that level of reputation. So bulk foldering is more related to content and reputation of the domains and URLs in the message.
The other reason IP reputation isn’t trumping domain / content reputation as much as it did in the past is that spammers stomped all over that. Affiliates, snowshoers, botnets, all those methods of sending spam made IP reputation less important and the ISPs had to find new ways to determine spam / not spam.
So if you’re seeing a lot of bulk foldering of mail, it’s unlikely there’s anything IP reputation based to do. Instead of worrying about IP reputation, focus instead on the content of the mail and see what you may need to do to improve the reputation of the domains and URLs (or landing pages) in the emails. While the content may not appear that different, the mere mention of “domain.com” where domain.com is seen in a lot of spam can trigger bulking.

Spam is not illegal

I was recently taken to task for claiming that unsolicited bulk email was spam.

Audit trails are important.

One of the comments on my Spamtraps post claims that audit trails should be maintained by recipients, not senders.

How do I know you're spamming?

There are a number of reasons I know that mail coming into my mailbox is spam.

Not lazy, just annoyed

I don’t usually send in spam reports, but I submitted a couple in the last few weeks. Somehow an address of mine is on a bunch of rave / club lists in London. You want to know what is happening at London clubs this week? It’s all there in my spam folder.
This mail finally hit my annoyance threshold, so I’ve been submitting reports and complaints to the senders the last few weeks. The mail, with full headers, goes with an explanation that the address that received it was harvested off a website more than 5 years ago and never opted in to receive any mail.
One of the ISPs I sent the report to has a web form where the complainant and the customer can see the report and both can comment on it. The customer replied to my complaint on it.

Spot the CAN SPAM violations

I received this piece of unsolicited email today, to an address harvested off a website. How many CAN SPAM violations can you count?

Spammer prosecuted in New Zealand

Today (well, actually tomorrow, but only because New Zealand is on the other side of the date line) the NZ Department of Internal Affairs added a 3rd statement of claim against Brendan Battles and IMG Marketing. This third claim brings the total possible fines to $2.1 million.
Brendan is a long term spammer, who used to be in the US and moved to New Zealand in 2006. His presence in Auckland was noticed by Computerworld when a number of editors and staffers were spammed. When contacted by the paper, Brendan denied being involved in the spam and denied being the same Brendan Battles.
New Zealand anti-spam law went into effect in September 2007. The Unsolicited Electronic Messages Act 2007 prohibits any unsolicited commercial email messages with a New Zealand connection, defined as messages sent to, from or within New Zealand. It also prohibits address harvesting.
The Internal Affairs department also appears to be investigating companies that purchased services from Brendan Battles.

ESPs, complaints and spam

Steve wrote a while back about how Mailchimp handled his complaint.
Sadly, I have a counter example from recently.

Uptick in botnet spam

There’s been a heavy uptick in botnet spam over the last few days, judging by things I’m hearing and my own mailboxes. There are a few common subject lines, but all of them are trying to get recipients to either run programs or visit malicious web pages.
The first subject line I’m seeing a lot of is “<name> wants to be friends with you on facebook!” In my mailbox most of those names have not been common European names. The give away that this isn’t actually a Facebook invite is the Reply-To address pointing to Linkedin. The URLs in the message appear to be random strings of numbers, and may actually encode recipient information in them.
The second has a subject that that is a variation on “End of July Statement.” The spammers are mixing capitals, adding in “Re:” and “FWD:” and sometimes increasing the urgency by adding required or STAT!! to the mail. These mails contain a .zip file which probably contains some virus which will turn the recipient machine into the next spam spewing bot.
The third variation has the subject line “Uniform Traffic Ticket.” The content is a citation that tells the recipient they were speeding somewhere in New York (possibly other states, I have only done a spot check of the couple hundred copies I have). There is, however, a .zip attachment with a virus.
Most people probably aren’t seeing these. SpamAssassin is doing a reasonably good job here of catching the spam and filtering it. I’m sure that the bigger ISPs are also filtering it effectively. But one person did forward a copy of the spam to a mailing list and ask if anyone knew what was going on.
If you get any of these messages, you don’t need to ask. It’s virus spam. Don’t open it and don’t forward it.

[The harasser] was hitting me on email and twitter for more than [2100 messages], and the thing was, those all got past the filters I’ve got in place. So one obsessed crazy man with minimal technical skill and nothing but persistence outperforms all the spambots out there, at least on the scale of individuals, if not in breadth of attack.
PZ Meyers
Read More

The little things

It really amuses me when I get blatant spam coming from a network belonging to one of our Abacus customers. I know that the complaint will be handled appropriately.
It’s even better when the spam advertises the filter busting abilities of the spammer. I get a warm, fuzzy feeling to know that the spammer is going to be looking for a new host in the immediate future.

No one harvests email addresses any more

There are a lot of people who assert that “no one” actually scrapes websites for email addresses any longer. My experience indicates this isn’t exactly true.
We have a rotating set of email addresses on our contact page. Every day we push out a new email address. Every day we expire addresses that were pushed out 7 days ago.
I can say, with 100% certainty, that there are people harvesting addresses off websites. The ads are reasonably “targeted.” Most of them are offering increased traffic, or the ability to monetize the website. Some are offering work from home.
I suppose you could call these targeted mails. After all, what website owner doesn’t want more traffic? Who wouldn’t want to make hundreds of dollars a day from the comfort of their own couch? What website owner doesn’t want their site submitted to 2700 different search engines?
Targeted spam is still spam. And having a rotating, expiring contact address has kept the amount of spam coming into our contact address low enough that the contact address is actually useable. 10 spams a month (for a 7 day old email address) is much more manageable than 1000 emails a month (for a 4 year old email address).

Are you sure? Part 2

There was a bit of discussion about yesterday’s blog post over on my G+ circles. One person was telling me that “did you forget you opted-in?” was a perfectly valid question. He also commented he’s had the same address for 20 years and that he does, sometimes forget he opted in to mail years ago.
As an anti-spammer with the idea that it’s all about consent, I can see his point. Anti-spammers, for years, have chanted the mantra: “it’s about consent, not content.” Which is a short, pithy way to say they don’t care what you send people, as long as the recipients themselves have asked for it.
This is the perfect bumper sticker policy. As with most bumper sticker policies, though, it’s too short to deal with the messy realities.
I’m not knocking consent. Consent is great. Every bulk mailer should only be sending mail to people who have asked or agreed to receive that mail.
But if your focus is on delivery and getting mail to the recipient’s inbox and getting the recipient to react to that mail then you can’t just fall back on consent. You have to send them mail that they expect. You have to send them mail that they like. You have to send them mail they will open, read and interact with.
If your permission based recipients are saying they forgot that they signed up for mail, that is a sign that the sender’s program is futile. These are people who, at one point or another, actually asked to receive mail from a sender, and then the mail they receive is so unremarkable that they totally forget about the sender.
Maybe that’s another reason the question “are you sure you didn’t forget you opted in” from clients bothers me so much. If I signed up and forgot that points to problems in your program, mostly that it’s totally unremarkable and your subscribers can forget.

Are you sure you didn't opt in?

Yes, really. I’m sure I didn’t opt-in.
I get a lot of spam. I get a lot of spam to addresses that aren’t used to sign up for mail. But it seems inevitable that when I bring up examples of receiving spam I inevitably get asked, “Are you sure you didn’t opt-in?”
On one level I can understand the question when I send in a complaint to an abuse desk and they’re dealing with a customer who swears all their mail is opt-in. It makes sense when an ESP is working to identify what may have happened so they can correct their customers’ behaviour.
But when it’s a client who has hired me to investigate their email delivery problems and I provide examples of spam sent to me? Why, WHY would I lie to you? Why would I claim I’m getting spam if I wasn’t? What use is that? How does me forgetting I subscribed actually help fix your delivery?
And even if I did forget, shouldn’t that be a sign that maybe there is some issue with your mail program that people sign up and forget?
I am not sure what causes clients to think I would tell them they’re spamming me when they’re really not. I certainly do tell clients when I opt-in and enjoy their mail while offering advice on how to improve their marketing program. I’m not sure what’s going through their heads when I say, “Oh, you (or your affiliate) is sending me a lot of spam,” that prompts them to ask, “Are you sure you didn’t opt-in?”

TWSD: I can haz ethix marketing

I’m getting slammed by spam advertising URLs at http://perfectdeliveries.com/ from
Ethix Marketing LLC
711 S. Carson Street Suite 4
Carson City, Nevada 89701
The kicker? They’re violating CAN SPAM while they’re doing it. Seriously, sending mail out through open relays and proxies with forged From: addresses is a violation of CAN SPAM. And they’re spamming for ambulance chasers.
Spammers, eh?

Marketing or spamming?

A friend of mine sent me a copy of an email she received, asking if I’d ever heard of this particular sender. It seems a B2B lead generation company was sending her an email telling her AOL was blocking their mail and they had stopped delivery. All she needed to do was click a link to reactivate her subscription.
The mail copy and the website spends an awful lot of time talking about how their mail is accidentally blocked by ISPs and businesses.

First spam to Epsilon leaked address

This morning I received the first two spams to the address of mine that was compromised during the Epsilon compromise back in April. Actually, I received two of them. One was the “standard” Adobe phish email. The other was similar but referenced Limewire instead of Adobe.

End of quarter spam

There has been a plethora of big brand companies doing stupid stuff with marketing recently. I can only figure it’s end of quarter and everyone is looking to pump up their numbers as fast as possible.
I talked about Millenium hotels sending me with an utterly irrelevant ad earlier this week.
@Yahoomail direct message spammed all their twitter followers with an ad for something related to the new Yahoo mail product.
Anyone watching my twitter feed yesterday probably noticed me complaining about spam from Dell.
All of these things are just examples of sloppy marketing. In Dell’s case it’s even worse because they sent me multiple copies of the spam to different addresses. Two copies of the same “SHOP NOW!” email to different addresses, one of which has never been given to Dell.
Mail to the first address is unquestionably spam and I did send in a complaint to Dell’s ESP. That address is never used to sign up for anything. I did try clicking on the “update your subscription” link in the footer and Dell’s website helpfully told me that address was not on their mailing lists. Looks like Dell bought a list.
The second address is one that was involved with the purchase of software from Dell last July. This is the first non-transactional mail sent to that address. I can’t necessarily call the email spam as I did give it to Dell during the course of a transaction. However, Dell could have done a lot better in managing our “relationship” than they did.
Dell collected my email address as part of a transaction in July 2010. They did not start sending marketing mail to this address until May 2011. While Dell is a major brand and most people would recognize the name and may be a little less inclined to hit “this is spam” waiting 10 months between a purchase and regular mailings is a bad idea. People who don’t use tagged addresses may forget they gave the sender an email address and automatically send in a spam complaint.
Sitting on an address for 10 months means Dell really should have done a welcome series, or even just a single welcome email, to ease the transition from no mail to regular mail. But, no, they just send me an email advertising their sales.
We’ve been Dell customers for quite a while, and all of our purchases have been enterprise grade hardware or software to run on those servers. We’ve never purchased anything remotely like office computers. But the sales flyer was for desktops, printers and monitors. Dell knows what I purchased from there, so why are they sending me ads for things I’ve never bought?
We have our own Dell sales rep, and my only involvement in the transaction is source of payment. Adding me to a product list really feels like spam.
Then there was the email itself. The “update your subscription” link was broken and told me I wasn’t subscribed to their list. I mentioned it to Steve and he pointed out that particular link had been broken “forever.” How long has it been since anyone inside of Dell has checked that their footer links work?
What is Dell up to? Who knows. But they unarguably are sending mail to addresses that never opted in. And even if you consider an email giving during a purchase process their handling of that particular address was appalling and in violation of almost every good practice out there.

Buying lists

The problem with buying lists is that you never know which consumers are already on your list and you risk spamming current subscribers.

User education doesn't work

A growing OSX security problem illustrates why user education is not the solution to virus, spam or malware problems.
HT: @briankrebs

Another kind of email breach

In all the recent discussions of email address thievery I’ve not seen anyone mention stealing addresses by abusing the legal system. And, yet, there’s at least one ambulance chasing lawyer that’s using email addresses that were never given to him by the recipients. Even worse, when asked about it he said that the courts told him he could use the email address and that we recipients had no recourse.
I’m not sure the spammer is necessarily wrong, but it’s a frustrating situation for both the recipient and the company that had their address list stolen.
A few years ago, law firm of Bursor and Fisher filed a host of class action lawsuits against various wireless carriers, including AT&T. At one point during the AT&T lawsuit the judge ruled that AT&T turn over their customer list, including email addresses, to Bursor and Fisher. Bursor and Fisher were then to send notices to all the AT&T subscribers notifying them of the suit.
This is not unreasonable. Contacting consumers by email to notify them of legal action makes a certain amount of sense.
But then Bursor and Fisher took it a step further. They looked at all these valid email addresses and decided they could use this for their own purposes. They started mailing advertisements to the AT&T wireless list.

Spam works

I got a spam today advertising spamming services that ended with a tagline that can be paraphrased: We managed to spam you, let us spam others on your behalf!
OK, so what they actually said was:

Email marketing firm smacked by the SEC

Yes, the SEC. Really.
Apparently the email marketing firm mUrgent, which provides services to the restaurant and hospitality industry also had a side business. According to the complaint filed by the SEC last month, they had an entire boiler room set up to sell shares for their non-existent IPO.
I’d never heard of this firm before, so I did a little digging. First step, check out their website.

Be on the lookout

I’m hearing more rumors of ESPs seeing customer accounts being compromised, similar to what happened with The Children’s Place.

I hate spam

But sometimes it makes me laugh. Yesterday I got a 419 that said, “[…]have been diagonalized with HIV/AIDS which has defiled all forms of medical treatment[…]” Diagonalized? Defiled all forms of treatment?
At least it was entertaining, right?

You've got to be kidding me

Earlier this week I received an email to a work address I retired 4 or 5 years ago. The from and subject lines alone were enough to make me laugh and decide I had to blog about this particular spammer.

Another security problem

I had hoped to move away from security blogging this week and focus on some other issues. But today I see that both CAUCE and John Levine are reporting that there is malware spam coming from a Cheetahmail customer.
Looking at what they shared, it may be that Cheetahmail has not been compromised directly. Given mail is only coming from one /29, which belongs to one customer it is possible that only the single customer account has been compromised. If that is the case, then it’s most likely one of the Cheetahmail users at the customer got infected and their Cheetahmail credentials were stolen. The spammer then gained access to the customer’s Cheetahmail account. It’s even possible that the spammer used the compromised customer account to launch the mail. If this is the case, the spammer looked exactly like the customer, so most normal controls wouldn’t have noticed this was a spammer.
This highlights the multiple vectors these criminals are using to gain access to ESPs and the mailing systems they use. They’re not just trying to compromise the ESPs, but they’re also attempting to compromise customers and access their accounts so that the spammer can steal the ESPs hard won and hard fought sending reputation.
Everyone sending mail should be taking a long, hard look at their security. Just because you’re not an ESP doesn’t mean you aren’t a target or that you can get away with lax security. You are also a target.

Spammers, eh?

From my inbox, missed by the spamfilter:

Do you know people who have worked a lot or could not find a job for a long time and suddenly began to earn well, gain valuable items and look better?
We can reveal to you their secret.
Anyone who bought a diploma from us raised their standard of living in half!
Our diplomas are verified and credible. We offer expert help in selection of the right option and a short waiting time.
Don’t look at other – DO YOUR OWN SUCCESS!
—–
+ 1 – 646 – 555 – 1212
—–
We need your infarmation:
1) Your Name
2) Your Country
3) Telephone No. with a code of country if you are outside USA
Do Not Reply to this Email.
We do not reply to text inquiries, and our server will reject all response traffic.
We apologize for any inconvenience this may have caused you.
This is not a spam
If you don’t want to receive this message to your e-mail, call this number and refuse it – spell your e-mail
Read More

Turn it all the way up to 11

I made that joke the other night and most of the folks who heard it didn’t get the reference. It made me feel just a little bit old.
Anyhow, Mickey beat me to it and posted much of what I was going to say about Ken Magill’s response to a very small quote from Neil’s guest post on expiring email headers last week.
I, too, was at that meeting, and at many other meetings where marketers and the folks that run the ISP spam filters end up in the same room. I don’t think the marketers always understand what is happening inside the postmaster and filtering desks on a day to day basis at the ISPs. Legitimate marketing? It’s a small fraction of the mail they deal with. Ken claims that marketing pays the salaries of these employees and they’d be out of a job if marketing didn’t exist. Possibly, but only in the context that they are paid to keep their employers servers up and running so that the giant promises made by the marketing team of faster downloads and better online experiences actually happen.
If there wasn’t an internet and there weren’t servers to maintain, they’d have good jobs elsewhere. They’d be building trains or designing buildings or any of the thousands of other jobs that require smart technical people.
Ken has no idea what these folks running the filters and keeping your email alive deal with on a regular basis. They deal with the utter dregs and horrors of society. They are the people dealing with unrelenting spam and virus and phishing attacks bad enough to threaten to take down their networks and the networks of everyone else. They also end up dealing with law enforcement to deal with criminals. Some of what they do is deal with is unspeakable, abuse and mistreatment of children and animals. These are the folks who stand in front of the rest of us, and make the world better for all of us.
They should be thanked for doing their job, not chastised because they’re doing what the people who pay them expect them to be doing.
Yes, recipients want the mail they want. But, y’know, I bet they really don’t want all the bad stuff that the ISPs protect against. Ken took offense at a statement that he really shouldn’t have. ISPs do check their false positive rates on filtering, and those rates are generally less than 1% of all the email that they filter. Marketers should be glad they’re such a small part of the problem. They really don’t want to be a bigger part.

Spammers and the law

Robert Soloway, one of the people crowned with the title “Spam King”, has been released from jail. He was an extremely prolific spammer, generating over 10 trillion messages over the course of his career.
As Mr. Soloway exits jail, another spammer heads to serve his 20 year sentence. Peter Maxson Anyanyueze sent Nigerian 419 spams telling people they could profit from helping him move money around. The scam is that the victim needs to pay small amounts of money, sometimes totalling tens or hundreds of thousands of dollars.

Light blogging for a while

Sorry for the lack of substantive posts, things seem to have gone completely out of control and I’m not finding a lot of extra cycles to sit down and blog. I’ll try and get some stuff up this week, but I’m also getting ready for MAAWG and the sessions I’m a part of there.
There was an interesting post by Romer over on his personal blog. If you don’t know, Romer helps maintain one of the commercial mail filters. He recently got spammed by one of his vendors and talked about how this is probably not the best idea. Al adds his own take on companies assuming permission. I’ve talked about taking permission in the past but haven’t touched on things like “spamming the guy who runs the filter.”
You’d be surprised, or maybe you wouldn’t, about how many people who run filters for large organizations get spammed regularly. You wouldn’t be surprised to find out that those people do factor in their own personal spam load when adjusting their organizational filters.

How many people to enforce policy?

I’ve been head down working on a doc for a client and started wondering what the average size of an enforcement team is. This client told me during one of our calls they wanted to be as clean and well respected as another ESP, but was shocked when I told them how large an enforcement and delivery team that ESP maintained.
I know other clients of mine have 6 – 8 people for a very large customer base, and all of them take their job very seriously.
That got me to thinking: what is the average size of a policy and enforcement desk? Does it scale with userbase? Does it scale with the amount of mail you send? Is there a minimum size?
So tell me: how many people are on your policy and enforcement team?

Still more spam stats

Mailchannels put together another post looking at spam volumes. Related to that, many people are reporting that bot levels are climbing again.

Social networks and bulk email

There’s been a bit of a commotion on Twitter and over at J Caldwell’s blog about Al’s reaction to someone harvesting his address off LinkedIn and then adding that email address to his company’s marketing / newsletter database. Al objected to getting the mail, the person who did this shot back that it wasn’t spam, there was lots of arguing both over twitter and on the blog post.
This also recently happened when a well known email marketer took all 500+ of his Linked In contacts (including me) and added them to his corporate Christmas card list. His behaviour also created a bit of a stir, although it was a little less public.
That mailing was interesting, because a number of people who received the card thought this was the Best Use of Email, EVER! Some of them went so far as to opine “How could ANYONE not like this mail? What are they, Scrooge?” Well, actually, I found the mail irrelevant and a bit annoying. I have to admit I would have been a lot less annoyed if I knew this was a one time thing. However, in order to comply with CAN SPAM he included an opt-out. Which lead to some head scratching: have I been added to their full list? Am I going to get their newsletter from now on? Do I have to opt-out? What was he thinking?
Watching both of the above situations go down I have come up with a list of things you must consider when sending bulk mail to people who have connected with you on social networks.

More spam graphs

Ken Simpson, CEO of Mailchannels, was kind enough to give me permission to post their graph of spam and email volumes from September 1, 2010 through Jan 3, 2011.

Spam volumes in 2010

I started hearing various people comment about lower spam volumes sometime in mid December. This isn’t that unusual, spam volumes are highly variable and someone is always noticing that their spam load is going up or going down. The problem is extrapolating larger trends from a small selection of email addresses. There’s too much variation between email addresses and even domains to make any realistic assumptions about global spam volumes from mail coming into a particular address or domain. And that variation is before you even consider that spam filters prevent much of the spam from actually reaching people.

Now you know…

The key to email marketing, at least if you read blogs and talk to experts who blog about such things, is to segment your lists. But what does segmenting your lists really mean? Ken touches on it in a recent article about engagement and segmenting.
Segmenting your list means, quite simply, knowing your audience. It means tailoring your message to them, in order to extract as much money from them as possible. It means knowing which subscribers you can push with volume and which you will lose if you increase things too far.
In short, it means not treating all your subscribers the same, instead treating them slightly differently based on how they interact with your message.
To some people, this is too difficult. Ken even quoted someone in the industry as saying

TWSD: lie about the source of address

A few months ago I got email from Staff of Norman Rockwell Museum of Vermont, to an addresses scraped off one of my websites. At the bottom it says:

Email attacks

Ken has an article up today about the ongoing attacks against ESPs and email marketers. In it he says:

Attention is a limited resource

Marketing is all about grabbing attention. You can’t run a successful marketing program without first grabbing attention. But attention is a limited resource. There are only so many things a person can remember, focus on or interact with at any one time.
In many marketing channels there is an outside limit on the amount of attention a marketer can grab. There are only so many minutes available for marketing in a TV or radio hour and they cost real dollars. There’s only so much page space available for press. Billboards cost real money and you can’t just put a billboard up anywhere. With email marketing, there are no such costs and thus a recipient can be trivially and easily overwhelmed by marketers trying to grab their attention.
Whether its unsolicited email or just sending overly frequent solicited email, an overly full mailbox overwhelms the recipient. When this happens, they’ll start blocking mail, or hitting “this is spam” or just abandoning that email address. Faced with an overflowing inbox recipients may take drastic action in order to focus on the stuff that is really important to them.
This is a reality that many marketers don’t get. They think that they can assume that if a person purchases from their company that person wants communication from that company.

FBox: The sky isn't falling

Having listened to the Facebook announcement this morning, I am even more convinced that emailpocalypse isn’t happening.
Look, despite the fact that companies like Blue Sky Factory think that this means marketers are NEVER EVER going see the inside of an inbox again this isn’t the end of email marketing.
Yes, Facebook email is a messaging platform that marketers are not going to have direct, unlimited and unfettered access to. I have no problem with this. Unfettered access to a messaging platform has been abused by marketers long enough, that I heartily approve of a platform that gives real control back to the recipient.
With that being said, there are a couple blindingly obvious ways to avoid having to give users control of their own inbox.

Best practices: a meaningless term

Chad White wrote an article for MediaPost about best practices which parallels a lot of thinking I’ve been doing about how the email marketing industry treats best practices.

The myth of the low complaint rate

I have been reading the complaints filed by Holomaxx and will have some analysis and information about them probably Monday or Tuesday next week. I’ve been keeping an eye on the press and something that Ken Magill said caught my eye.

Email appending

Mickey talks about appending and why it’s not a good practice.

Don't be Amelia

I have an adorable cat that I ‘taught’ that I would pet her if she tapped me on the arm or shoulder with her paw. It was cute for a while, but then she got more and more demanding. Eventually, she was clawing at my clothes and skin to get attention and petting.
It’s gotten to the point where I have to put a stop to it. She’s just getting too destructive to me and my clothing. So over the last two weeks I’ve been trying to only reward those touches that don’t involve claws and giving her a stern “NO CLAWS” when she does try to claw me.
As I was sitting here this afternoon, going through yet another round of NO CLAWS with her, I realized that my interactions with her were eerily similar to email marketing.
You see, Amelia started using her claws to get my attention because I didn’t always respond to her gentle taps. But claws hurt, and were a problem, so I would respond. This is exactly like marketers who don’t see a response to their email marketing campaigns and thus up the aggressiveness of those campaigns. More mail, more frequency, stronger offers, anything to get a response out of recipients.
Eventually, though, the recipient finally gets annoyed. The aggressive “taps” result in spam complaints. The sender has pushed the recipient from “it’s not so bad” to “make this sender stop bugging me.”
Email marketing is interruption marketing and there is only so much recipients will tolerate. And, trust me, few email marketers are as cute as my Amelia Cat.

More information on arrests

Terry Zink has a more detailed post on some of the spammer arrests and takedowns that have happened recently.
In addition to the events I mentioned yesterday, authorities arrested an Armenian man suspected of running the Bredolab botnet. Unfortunately, the arrest has not stopped the spam with the malware payload.
These are issues that many ISP abuse and postmaster desks deal with on a daily basis. Their filtering schemes and policies are in place to protect customers from the mob, and criminals. I don’t think enough marketers and senders understand exactly how much the ISPs are dealing with and why many ISPs don’t really care that “mail is taking 12 hours to get to the inbox.” They are dealing with much more important things.

The dark side of email marketing

Everyone I talk to when dealing with issues inevitably has to tell me they are legitimate email marketers. They’re not spammers, they’re just business people. I often find it difficult to fathom why they need to tell me this. It’s not like email marketers are criminals or anything.
Two recent stories reminded me how evil some folks are. While I’ve not had any direct contact (that I know of) with any of the players on this end of things I have zero doubt that if they called me they would tell me that they were legitimate email marketers.
In one case, a members of a spam gang kidnapped the teenage daughter of someone investigating their activities. The gang held her for more than 5 years in horrific conditions. Yesterday Joseph Menn, author of “Fatal System Error” posted on Boing Boing that his friend got his daughter back. It is a heartbreaking story and incredibly sobering.
In another case, the Russian police arrested a man who ran spammit.com, a clearinghouse for viagra sellers to find spammers to send their mail. Reports say that mail volumes dropped by a fifth after the site was taken offline.
There is real evil in the email marketing industry. Sure, they’re spammers and we can all stand up and say they’re not legitimate. But, this is what the ISPs and Spamhaus and law enforcement are dealing with on a regular basis.

Ah, Spammers.

The too many.
The stupid.
The spammers.
The blog spammers are still actively attempting to get their claws into my blog. Today the comments included:

Would you buy a used car from that guy?

There are dozens of people and companies standing up and offering suggestions on best practices in email marketing. Unfortunately, many of those companies don’t actually practice what they preach in managing their own email accounts.
I got email today to an old work email address of mine from Strongmail. To be fair it was a technically correct email. Everything one would expect from a company handling large volumes of emails. It’s clear that time and energy was put into the technical setup of the send. If only they had put even half that effort into deciding who to send the email to. Sadly, they didn’t.
My first thought, upon receiving the mail, was that some new, eager employee bought a very old and crufty list somewhere. Because Strongmail has a reputation for being responsible mailers, I sent them a copy of the email to abuse@. I figured they’d want to know that they had a new sales / marketing person who was doing some bad stuff.
I know how frustrating handling abuse@ can be, so I try to be short and sweet in my complaints. For this one, I simply said, “Someone at Strongmail has appended, harvested or otherwise acquired an old email address of mine. This has been added to your mailing list and I’m now receiving spam from you. ”
They respond with an email that starts with:
“Thank you for your thoughtful response to our opt-in request. On occasion, we provide members of our database with the opportunity to opt-in to receive email marketing communications from us.”
Wait. What? Members of our database? How did this address get into your database?
“I can’t be sure from our records but it looks like someone from StrongMail reached out to you several years ago. It’s helpful that you let us know to unsubscribe you. Thank you again.”
There you have it. According to the person answering email at abuse@ Strongmail they sent me a message because they had sent mail to me in the past. Is that really what you did? Send mail to very old email addresses because someone, at some point in the past, sent mail to that address? And you don’t know when, don’t know where the address came from, don’t know how it was acquired, but decided to reach out to me?
How many bad practices can you mix into a single send, Strongmail? Sending mail to addresses where you don’t know how you got them? Sending mail to addresses that you got at least 6 years ago? Sending mail to addresses that were never opted-in to any of your mail? And when people point out, gently and subtly, that maybe this is a bad idea, you just add them to your global suppression list?
Oh. Wait. I know what you’re going to tell me. All of your bad practices don’t count because this was an ‘opt-in’ request. People who didn’t want the mail didn’t have to do anything, therefore there is no reason not to spam them! They ignore it and they are dropped from your list. Except it doesn’t work that way. Double opt-in requests to someone has asked to be subscribed or is an active customer or prospect is one thing. Requests sent to addresses of unknown provenance are still spam.
Just for the record, I have a good idea of where they got my address. Many years ago Strongmail approached Word to the Wise to explore a potential partnership. We would work with and through Strongmail to provide delivery consulting and best practices advice for their customers. As part of this process we did exchange business cards with a number of Strongmail employees. I suspect those cards were left in a desk when the employees moved on. Whoever got that desk, or cleaned it out, found those cards and added them to the ‘member database.’
But wait! It gets even better. Strongmail was sending me this mail, so that they could get permission to send me email about Email and Social Media Marketing Best Practices. I’m almost tempted to sign up to provide me unending blog fodder for my new series entitled “Don’t do this!”

Spam is not a marketing strategy

Unfortunately, this fact doesn’t stop anyone from spamming as part of their marketing outreach. And it’s not just email spam. I get quite a bit of blog spam, most of which is caught by Akismet. Occasionally, though, there’s spam which isn’t caught by the filter and ends up coming to me for approval.
Many of these are explanations of why email marketing is so awesome. Some of them are out and out laugh inducing. One of my favorites, and the inspiration for this post.

Just stop spamming!

Al posted a clip from the Jim Carrey movie Liar Liar on SpamResource (slightly NSFW) that resonated with me this week.
If you meet me on the street and ask me what my job is I’ll tell you that I work with companies who send bulk email to make sure that they’re not sending spam. I do this by educating clients into good practices and teaching them how to send mail people want to receive. What this statement doesn’t tell people is that usually clients find me because they have been suspended by their ISP for spamming or blocked by some receiver.
Clients who find me because they can’t send mail usually hire me to solve their immediate problem. And I do give the the best advice I can to resolve their problem. But fixing today’s problem isn’t enough, you also need to fix the processes that caused the problem. To me, a critical part of my job is to set clients up for long term success by creating procedures that will get them delisted and keep them from being relisted in the future.
Sometimes, though, I have those moments Al is talking about. When clients don’t actually want to fix their problems, they just want to argue. They want to argue about the definition of spam. They want to argue about permission. They want to argue about how awful their ISPs are for suspending their account. They want to argue about CAN SPAM. They want to argue about free speech. They are angry and they want to fight.
My role is to listen to them, then guide them down a constructive path. I do turn out to be the sounding board for a lot of customers, sometimes they just need to know someone is listening to them. Once they get it all out we can move on into solving the problem.
But, boy, are there the occasional conversations where I just want to scream, “JUST STOP SPAMMING!”

Mail that looks like spam

One thing I repeat over and over again is to not send mail that looks like spam. Over at the Mailchimp Blog they report some hard data on what looks like spam. The design is simple, they took examples of mail sent by their customers and forwarded them over to Amazon’s Mechanical Turk project to be reviewed by humans.
In a number of cases they discovered that certain kinds of templates kept getting flagged as spam, even when Mailchimp was sure that the sender had permission and the recipients wanted the mail. They analyzed some of these false positives and identified some of the reasons that naive users may identify those particular emails as spam.
Ben concludes:

The hard sell works

Ken Magill, dad extraordinaire, describes how he went above and beyond the call to get his son a DVD while battling hard sell marketing techniques.

Blasting the message!

Sending frequency is an important part of any email campaign. Too little mail and recipients forget about the mail and don’t open it when it does arrive. Too much mail and folks start complaining, like John Cole over at Balloon Juice.

Beware the TINS Army

When consulting with clients, I spend a lot of time trying to help them better understand the concept of sender reputation. Spam reports, feedback loops, and other data that comes from a collection of positive and negative reputational feedback about a company sending email.
Certainly, the “This is not spam” action – moving an email from the spam folder to the inbox, or clicking the “not spam” button in a web mail’s interface, is a strong positive reputational action. Some webmail providers use this data to decide which bulked senders deserve being let out of the penalty box – which should have their mail once again delivered to the inbox.
A client recently theorized that a great solution to their delivery problems would be to do this “en masse.” Sign up for hundreds or thousands of webmail accounts, send my mail to them, and click on the “not spam” button for each of my own emails. That’ll greatly improve my sending reputation, right?
NO! ISPs have already thought of this. They watch for this. They’re really good at picking up on things like this. I know for a fact that Yahoo and Hotmail and AOL notice stuff like this, and I strongly suspect other webmail providers notice it as well.
What happens when Yahoo or Hotmail pick up on this type of unwanted activity? Well, if it’s at Yahoo, they’re likely to block all mail from you, 100%, forever. I’ve seen it happen more than once. Yahoo might even identify all of your netblocks, ones beyond the ones sending today’s mail or originating today’s activity. And good luck trying to convince them that you’re not a spammer – you have a better chance of winning the lottery two weeks in a row.
As for Hotmail – what would Hotmail do? Ask Boris Mizhen. Microsoft is currently suing him, alleging that he and/or his agents or associates engaged in this very practice.

Spam isn't a best practice

I’m hearing a lot of claims about best practices recently and I’m wondering what people really mean by the term. All too often people tell me that they comply with “all best practices” followed by a list of things they do that are clearly not best practices.
Some of those folks are clients or sales prospects but some of them are actually industry colleagues that have customers sending spam. In either case, I’ve been thinking a lot about best practices and what we all mean when we talk about best practices. In conversing with various people it’s clear that the term doesn’t mean what the speakers think it means.
For me, best practice means sending mail in a way that create happy and engaged recipients. There are a lot of details wrapped up in there, but all implementation choices stem from the answer to the question “what will make our customers happy.” But a lot of marketers, email and otherwise, don’t focus on what makes their recipients or targets happy.
In fact, for many people I talk to when they say “best practice” what they really mean is “send as much mail as recipients will tolerate.” This isn’t that surprising, the advertising and marketing industries survive by pushing things as far as the target will tolerate (emphasis added).

It's not illegal to block mail

My post “We’re going to party like it’s 1996” is still getting a lot of comments from people. Based on the comments, either people aren’t reading or my premise wasn’t clear.
Back in 1996 the first lawsuits were brought against ISPs to stop ISPs from blocking email. These suits were failures. Since that time, other senders have attempted to sue ISPs and lost. Laws have been written protecting the rights of the ISPs to block content they deem to be harmful.
Dela says that he was just attempting to open up a conversation, but I don’t see what he thinks the conversation is. That ISPs shouldn’t block mail their customers want? Sure, OK. We’re agreed on that. Now, define what mail recipients want. I want what mail I want, not what someone else decides I might want.
Marketers need to get over the belief that they own end users mailboxes and that they have some right to send mail to people. You don’t.
When marketers actually start sending wanted mail, to people who actually subscribe – not just make a purchase, or register online or happen to have an easily discoverable email address – then perhaps marketers will have some standing to claim they are being treated illegally. Until and unless that happens, the ISPs are well within their rights to block mail that their users don’t want.

We're gonna party like it's 1996!

Over on deliverability.com Dela Quist has a long blog post up talking about how changes to Hotmail and Gmail’s priority inbox are a class action suit waiting to happen.
All I can say is that it’s all been tried before. Cyberpromotions v. AOL started the ball rolling when they tried to use the First Amendment to force AOL to accept their unsolicited email. The courts said No.
Time goes on and things change. No one argues Sanford wasn’t spamming, he even admitted as much in his court documents. He was attempting to force AOL to accept his unsolicited commercial email for their users. Dela’s arguments center around solicited mail, though.
Do I really think that minor difference in terminology going to change things?
No.
First off “solicited” has a very squishy meaning when looking at any company, particularly large national brands. “We bought a list” and “This person made a purchase from us” are more common than any email marketer wants to admit to. Buying, selling and assuming permission are par for the course in the “legitimate” email marketing world. Just because the marketer tells me that I solicited their email does not actually mean I solicited their email.
Secondly, email marketers don’t get to dictate what recipients do and do not want. Do ISPs occasionally make boneheaded filtering decisions? I’d be a fool to say no. But more often than not when an ISP blocks your mail or filters it into the bulk folder they are doing it because the recipients don’t want that mail and don’t care that it’s in the bulk folder. Sorry, much of the incredibly important marketing mail isn’t actually that important to the recipient.
Dela mentions things like bank statements and bills. Does he really think that recipients are too stupid to add the from address to their address books? Or create specific filters so they can get the mail they want? People do this regularly and if they really want mail they have the tools, provided by the ISP, to make the mail they want get to where they want it.
Finally, there is this little law that protects ISPs. 47 USC 230 states:

Email marketing is hard

I’ve watched a couple discussions around the email and anti-spam community recently with a bit of awe. It seems many email marketers are admitting they are powerless to actually implement all the good advice they give to others.
They are admitting they can’t persuade, cajole, influence or pressure their companies to actually follow best practices. Some of the comments public and private comments I’ve heard from various industry leaders:

Botnets and viruses and phishing, oh my!

MessageLabs released their monthly report on email threats yesterday. Many media outlets picked up and reported that 41% of spam was from a the Rustock botnet.
Other highlights from the report include:

Spamhaus and Gmail

Today’s been chock full of phone calls and dealing with clients, but I did happen to notice a bunch of people having small herds of cows because Spamhaus listed www.gmail.com on the SBL.
“SPAMHAUS BLOCKS GOOGLE!!!” the headlines scream.
My own opinion is that Google doesn’t do enough to police their network and their users, and that a SBL listing isn’t exactly a false positive or Spamhaus overreaching. In this case, though, the headlines and the original article didn’t actually get the story right.
Spamhaus blocked a range of IP addresses that are owned by Google that included the IP for www.gmail.com. This range of IP addresses did not include the gmail outgoing mailservers.
Spamhaus says

Should you respond to complaints

David Spinks asks on twitter:

Should you ever contact someone who made an abuse complaint about your newsletter to find out why
Read More

Spamfilters: a marketer's best friend

I was cleaning out my spam folder this afternoon. I try and do it at least once a day, otherwise the volume gets so bad I don’t actually look at the mail I just mark it all as read. I realized, though, that spamfilters are actually a marketer’s best friend.
If there were no spam filters keeping all the crap people get out of their inbox (in my case over 1000 messages a day) then spam would overwhelm even the most dedicated email junkie. I couldn’t do my job without my spam filters, and in fact the recent rash of virus spew is ending up in my inbox and making finding real mail a problem. I do a lot of sorting before mail ever hits my inbox, and I’m still struggling to deal with the couple hundred “your order has shipped!” and “please her tonight!” emails that my local bayesian filters haven’t caught up to, yet.
Today’s stats:
Work inbox: 17 messages
Work spam: 419
95.9% spam
Personal inbox: 40
Personal spam: 975
95.9% spam
Without filters, I couldn’t accurately find that 4.1% of real mail that I get. Without filters, I couldn’t do my job. Without filters, I couldn’t find the real receipts from purchases I actually made. Without filters, I couldn’t read and respond to mail I wanted.
A mailbox overflowing with spam is unuseable, and email marketers should be thankful that providers work so hard to keep spam out. Otherwise, email wouldn’t be useful for anything.

Appendleads is not unusual

I called out David Williams from appendleads.com yesterday for his spam. Sure he’s a spammer, his database is full of garbage information and his email violates CAN SPAM but he’s not that unusual in the realm of list sellers. He is very typical of the people I see offering lists for sale.
List sellers are the internet version of used car salesmen. Everyone knows they are slimy sales guys who will do anything to close the sale. They don’t have a real web presence, just visit appendleads.com and see what I mean.
And yet, people still buy lists from them! I have no doubt that my spammer friend has a nice little business selling email addresses. He sends out spam, he gets a few responses, makes a tidy profit and then sends out another spam, hooks a few more people and makes more money.
OK, so not all list sellers are like appendleads. Some of them go so far to build a website. But at the core they’re the same. They are selling data that isn’t clean, it’s not opt-in, it’s not been verified.
This is why so many of us harp on not buying lists. The sales guys talk a great game, but they aren’t selling what purchasers think they’re getting. They also don’t care. They have no incentive to clean up their data. They have no incentive to accurately represent what they’re selling. All of the risk is on the person that sends the email. Once they have their money, the buyer is on their own.
Can you ever successfully purchase a list? I’m sure some senders have. But that experience is closer to winning more than a thousand dollars in the lottery than an actual good business decision.

Buying Lists

One of my email addresses at a client got spammed today offering to sell me appending services. I was going to post the email here and point out all of the problems in how he was advertising it, including violating CAN SPAM.
As I often do, I plugged his phone number into google, only to discover that my blog post from March about this spammer was the 2nd hit for that number. Well, go me.
I can report nothing has changed. He’s still violating CAN SPAM. He’s still claiming I have no right to post, share, spindle, mutilate or fold his spam. Well, in the interest in something, I thought I’d share the whole post this time. Just to warn folks from attempting to purchase services from appendleads.com (nice website, by the way).

Creating effective links

CampaignMonitor blogged today about an email they sent out that triggered the Thunderbird “this might be a scam” filter.

Email is not direct mail

Had an interesting talk with a colleague at a BBQ this weekend. He was at a large ISP and then moved on to do delivery at a large email marketing company. This marketing company was started by a very successful direct (snail mail) marketer. The CEO believed totally in testing and they measured everything. They knew what colors provoked a better response and which fonts were better received by recipients.
But this wasn’t always enough. They had some spotty delivery and my friend was hired to try and solve the delivery problems. He had some luck and did fix a number of things, but there was a deeper issue he couldn’t address: that email is not direct mail. The types of testing done is the type of testing for direct mail. They were so focused on getting the best response to a particular offer they refused to consider tweaking an offer from their “proven ideal” to stop triggering content filters at some large ISPs. So their ideal offers would sometimes end up in the inbox and sometimes in the bulk folder and sometimes just disappear.
With direct mail, the USPS is required by law to deliver mail to the addressee. Not only that there are a lot of barriers put up to prevent (or discourage) recipients to opt-out of receiving direct mail. This isn’t the case in email. Not only is their no requirement for an ISP to deliver email to recipients, there is actually a law that says that recipients must be able to opt-out from receiving future emails.
Direct marketers are used to having a lot of freedom and control over their mail. They can buy and sell address lists and send almost anything they want without having anyone tell them they can’t. That mindset translates badly into the email space where the ISPs and the recipients have a lot of control over their incoming email. It means that senders with the absolute perfect test copy see delivery problems because their perfect copy looks just like something a spammer would do and gets caught in content filters. It means they come into email and try to buy a list and discover that while it may be financially viable, they have to deal with angry upstreams, blocks at recipient ISPs and sometimes a Spamhaus listing.
Email isn’t the same as direct mail and attempting to map direct mail techniques onto email usually doesn’t work.

10 ways spam is like Vuvuzelas

Amir Lev has a great post today detailing the 10 ways that spam is like Vuvuzelas. After reading his reasons (and deleting over 1000 messages from Cutwail), I absolutely agree.

Legitimate mail in spamfilters

It can be difficult and frustrating for a sender to understand they whys and wherefores of spam filtering. Clearly the sender is not spamming, so why is their mail getting caught in spam filters?
I have a client that goes through this frustration on rare occasions. They send well crafted, fun, engaging content that their users really want. They have a solid reputation at the ISPs and their inbox stats are always above 98%. Very, very occasionally, though, they will see some filtering difficulties at Postini. It’s sad for all of us because Postini doesn’t tell us enough about what they’re doing to understand what my client is doing to trigger the filters. They get frustrated because they don’t know what’s going wrong; I get frustrated because I can’t really help them, and I’m sure their recipients are frustrated because they don’t get their wanted mail.
Why do a lot of filter vendors not communicate back to listees? Because not all senders are like my clients. Some senders send mail that recipients can take or leave. If the newsletter shows up in their inbox they may read it. If the ad gets in front of their face, they may click through. But, if the mail doesn’t show up, they don’t care. They certainly aren’t going to look for the mail in their bulk folder. Other senders send mail that users really don’t want. It is, flat out, spam.
The thing is, all these senders describe themselves as legitimate email marketers. They harvest addresses, they purchase lists, they send mail to spamtraps, and they still don’t describe themselves as spammers. Some of them have even ended up in court for violating various anti-spam laws and they still claim they’re not spammers.
Senders are competing with spammers for bandwidth and resources at the ISPs, they’re competing for postmaster attention at the ISPs and they’re competing for eyeballs in crowded inboxes.
It’s the sheer volume of spam and the crafty evilness of spammers that drives the constant change and improvement in spamfilters. It’s tough to keep up with the spamfilters because they’re trying to keep up with the spammers. And the spammers are continually looking for new ways to exploit recipients.
It can be a challenge to send relevant, engaging email while dealing with spamfilters and ISPs. But that’s what makes this job so much fun.

You might be a spammer if….

You feel the need to add

PLEASE NOTE THAT THIS IS NOT A SPAM OR AUTOMATED EMAIL, IT’S ONLY A REQUEST FOR A LINK EXCHANGE. YOUR EMAIL ADDRESS HAS NOT BEEN ADDED TO ANY LISTS, AND YOU WILL NOT BE CONTACTED AGAIN.IF YOU’D LIKE TO MAKE SURE WE DON’T CONTACT YOU AGAIN, PLEASE FILL IN THE FOLLOWING FORM: <link>
PLEASE ACCEPT OUR APOLOGIES FOR CONTACTING YOU.
Read More

Spam lawsuits: new and old

There’s been a bit of court activity related to spam that others have written about and I feel need a mention. I’ve not yet read the papers fully, but hope to get a chance to fully digest them over the weekend.
First is e360 v. Spamhaus. This is the case that actually prompted me to start this blog and my first blog post analyzed the 7th circuit court ruling sending the case back the lower court to determine actual damages. The lower court ruled this week, lowering the judgment to $27,002 against Spamhaus. The judge ruled that there was actual tortuous interference on the part of Spamhaus. In my naive reading of the law, this strikes me as not only an incorrect ruling, but one that ignores previous court decisions affirming that blocklists are protected under Section 230. Venkat seems to agree with me.

Who's sharing data

Al has a post asking what people would do if their information was shared after opting out of any sharing.
It’s a tough call and one I think about as I see mail coming to my mailbox to such addresses as laura-sony and laura-quicken and laura-datran. All of these were addresses given to specific companies and where I attempted to opt-out of them sharing my data with other companies. Somewhere along the line, though, the addresses leaked and got into the hands of spammers.
Those addresses are overwhelmed with spams and scams. The frustrating part is there is no way to fix it. Once the addresses are leaked, they’re leaked. They will be receiving spam throughout eternity, even if the companies involved stop selling data or fix their data handling problem.
I don’t know what to do, honestly. If I think it was a one time thing, such as the addresses that started getting spam after the iContact data leak, then I’ll change my address at the vendor and retire the address the spammers have. But with other vendors, I don’t know what happened and I suspect the vendor doesn’t either, and so I can either deal with the spam or hope that I don’t lose real mail from that vendor.
There’s no easy answer. Any time you hand over an email address, or any other form of personal data, you’re trusting in the company, all of their employees and all of their vendors and partners to be honest and competent. This is often not the case.
What do you do?

The rules of delivery success

Senders with delivery problems ask about “the rules.” “Just tell us what the rules are!” “If the ISPs would just tell us what to do we’d do it!” There is only one rule anyone needs to pay attention to for good mail delivery: Respect the recipient.
Not good enough for you? Want more specific rules? OK.
The two rules everyone must follow for good mail delivery.

Confirming spam reports

Someone floated the idea of having ISPs confirm that a user really wants to report a mail as spam every time they do so. The original poster was asking for comments and what we thought of such an idea.

CAN SPAM Plaintiff ordered to pay 800K in lawyer fees

Asis Internet service has been ordered to pay over $800,000 in lawyer fees to Optin Global. Venkat has details. This is the same company that was recently awarded $2.5M judgment in a different case.

Spamtraps

There is a lot of mythology surrounding spamtraps, what they are, what they mean, how they’re used and how they get on lists.
Spamtraps are very simply unused addresses that receive spam. They come from a number of places, but the most common spamtraps can be classified in a few ways.

About that spam suit

John Levine has a longer blog post about the Smith vs. Comcast suit. Be sure to read the comment from Terry Zink about the MS related claims.

The secret to fixing delivery problems

There is a persistent belief among some senders that the technical part of sending email is the most important part of delivery. They think that by tweaking things around the edges, like changing their rate limiting and refining bounce handling, their email will magically end up in the inbox.
This is a gross misunderstanding of the reasons for bulk foldering and blocking by the ISPs. Yes, technical behaviour does count and senders will find it harder to deliver mail if they are doing something grossly wrong. In my experience, though, most technical issues are not sufficient to cause major delivery problems.
On the other hand, senders can do everything technically perfect, from rate limiting to bounce handling to handling feedback loops through authentication and offer wording and still have delivery problems. Why? Sending unwanted mail trumps technical perfection. If no one wants the email mail then there will be delivery problems.
Now, I’ve certainly dealt with clients who had some minor engagement issues and the bulk of their delivery problems were technical in nature. Fix the technical problems and make some adjustments to the email and mail gets to the inbox. But with senders who are sending unwanted email the only way to fix delivery problems is to figure out what recipients want and then send mail meeting those needs.
Persistent delivery problems cannot be fixed by tweaking technical settings.

What Happens Next…

or Why All Of This Is Meaningless:
Guest post by Huey Callison
The analysis of the AARP spam was nice, but looking at the Mainsleaze Spammer Playbook, I can make a few educated guesses at what happens next: absolutely nothing of consequence.
AARP, if they acknowledge this publicly (I bet not) has plausible deniability and can say “It wasn’t us, it was an unscrupulous lead-gen contractor”. They probably send a strongly-worded letter to SureClick that says “Don’t do that again”.
SureClick, if they acknowledge this publicly (I bet not) has plausible deniability and can say ‘It wasn’t us, it was an unscrupulous affiliate”. They probably send a strongly-worded letter to OfferWeb that says “Don’t do that again”.
OfferWeb, if they acknowledge this publicly (I bet not) has plausible deniability and can say ‘It wasn’t us, it was an unscrupulous affiliate”. And maybe they DO fire ‘Andrew Talbot’, but that’s not any kind of victory, because he probably already has accounts with OTHER lead-gen outfits, which might even include those who also have AARP as
a client, or a client-of-a-client.
So the best-case result of this analysis being made public is that two strongly-worded letters get sent, the URLs in the spam and the trail of redirects change slightly, but the spam continues at the same volume and with the same results, and AARP continues to benefit from the millions of spams sent on their behalf.
I’m not a lawyer, but I was under the impression that CAN-SPAM imposed liability on the organization that was ultimately responsible for the spam being sent, but until the FTC pursues action against someone like this, or Gevalia, corporations and organizations will continue to get away with supporting, and benefiting from, millions and millions of spams.
As JD pointed out in a comment to a previous post: sorry, AARP, but none of us are going to be able to retire any time soon.

Spam from mainstream companies

Yesterday I wrote about spam I received advertising AARP and used it as an example of a mainstream group supporting spammers by hiring them (or hiring them through proxies) to send mail on their behalf.
My statement appears to have upset someone, though. There is one comment on the post, coming from an IP address allocated to the AARP.

Did anyone actually look at this email before sending?

I received spam advertising AARP recently. Yes, AARP. Oh, of course they didn’t send me spam, they hired someone who probably hired someone who contracted with an affiliate marketer to send mail.
The affiliates, while capable of bypassing spam filters, are incapable of actually sending readable mail.

More on opt-out for B2B marketing

There is still a bit of discussion going on around the HBR article on how B2B mail should be opt-out not opt in on various delivery blogs. Over on the Blue Sky Factory blog new daddy (congratulations!) DJ writes a post about why he thinks opt-out in any context is a poor marketing decision.
One of his commenters follows up with a long comment about how recipients shouldn’t get angry when they get unsolicited email from a company they have interacted with.

Spam is in the eye of the beholder

But only the opinion of the recipient counts. So says a blog post on All Spammed Up.

We only mail people who sign up!

I get a lot of calls from clients who can’t understand why they have spamtraps on their lists. Most of them tell me that they never purchase or rent lists, and they only mail to people who sign up on their website. I believe them, but not all of the data that people input into webforms is correct.
While I don’t have any actual numbers for how many people lie in forms, there was a slashdot poll today that asked readers “How truthful are you when creating web accounts?”. The answer seems to be “not very” at least for the self-selected respondents.

The psychic and the not-really-opt-in

I’ve been getting a continual stream of spam from a psychic. I blogged about it a few months ago, and even had a call with the psychic’s ESP. None of that seemed to matter. Every few days I’d get another ad for psychic candles, or recording services or whatever. It wasn’t mail I could easily filter, and every time I’d get it I’d growl and dump it in my junk folder.
Yesterday, I received another mail from her. The subject line is “list opt-in verification.” Really? Could she really be actually confirming her list? Actually asking if I want to continue receiving mail?

Blocklists, delisting and extortion

As I’m sure many of you have heard by now there is a new blocklist called ‘nszones.’ This blocklist is apparently stealing data from a number of other publicly accessible blocklists, combining the data and then charging folks for delisting.
This is a scam attempting to extort money from people. The blocklist has no way to actually remove IPs from the parent zones and I’m pretty sure they won’t even remove IPs from their own zones. In this case, the blocklist is clearly a scam, but there are other lists that are actually used by some mailservers that do charge for removal.
No legitimate blocklist will ever expect a listee to pay for delisting. Ever.
I feel very strongly about this. In fact, one of the major blocklists is run off a domain owned by Word to the Wise. Occasionally, I get contacted by folks looking for help with a listing on that list and I will not take them on as a client. I will provide general advice and make sure that they are correctly contacting the blocklist but nothing more.
This is, to my mind, the only ethical thing to do. I don’t even want a hint of impropriety surrounding either myself or the blocklist. Charging money for delisting only feeds the conspiracy theories.
Charging listees for removal (or listing listees so those charges can be a revenue source) is likely to lead to poor quality data and a blocklist that’s not terribly accurate nor effective. Furthermore, if a list operator is unethical or confrontational in their interactions with listees, they’re probably equally unprofessional in their interactions with potential list users. This results in few recipient domains actually using the list to block mail. Lists that charge are not widely used and being listed on them often does not affect email delivery in any appreciable manner.

You want to sell me a list?

Over the years, some of my clients have found it expedient to give me email addresses at their domains. These addresses forward mail addressed to laura@clientsite to my own mailbox. Generally these are so I can be added to internal mailing lists and have access to their internal tools.
It’s often amusing to see the spam that comes through to those addresses. Over the last few weeks I’ve received multiple spams advertising an email appending service.
Let the irony sink in. An email appending service is sending me an email at a client company offering the client company the opportunity to append email addresses. “See how accurate our appending is!”
How accurate can a service be if they can’t even target their own spam correctly?
In addition to the appalling targeting they’re also violating CAN SPAM (no physical postal address), their website is a collection of broken links and they don’t provide any company name or information in the email or on the website.
To top it all off, the mail says, “if you’re not the right person to act on this mail, please forward this to the right person.” Followed by a standard legal disclaimer that says, “The information contained in this e-mail message and any attachments is confidential information intended only for the use of individuals or entities named above. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail at the originating address.”
I wonder if blogging about the utter email incompetence about mail from David Williams, Business Development (phone number: 800-961-5127) violates the confidentiality clause?

Improving the email interface

Want an improved email interface? Then build it.
There’s been an ongoing discussion about adding thumbs up / thumbs down style buttons to email clients. While I am dubious this is a useful feature or something that recipients will use, if there are others in the industry that think it would be useful then I strongly suggest they go ahead and create it.
In fact, there are a couple things that have been asked for in email interfaces that aren’t currently provided. Last October I blogged about adding an unsubscribe button to email clients.

Are you still thinking of purchasing a mailing list?

Last week there was an article published by btobonline promoting the services of a company called Netprospex. Netprospex, as you can probably gather from their company name, is all about the buying and selling of mailing lists. They will sell anyone a list of prospects.
The overall theme of the article is that there is nothing wrong with spam and that if a sender follows a few simple rules spamming will drive business to new heights. Understandably, there are a few people who disagree with the article and the value of the Netprospex lists.
I’ve stayed out of the discussion, mostly because it’s pretty clear to me that article was published solely to promote the Netprospex business, and their point of view is that they make more money when they can convince people to purchase lists from them. Dog bites man isn’t a very compelling news story. Data selling company wants you to buy data from them isn’t either.
They are right, there is nothing illegal about spam. Any sender can purchase a list and then send mail to the addresses on that list and as long as that sender meets the rock bottom standards set out in CAN SPAM. As long as your mail has an opt-out link, a physical postal address and unforged headers that mail is legal. The only other obligation on the sender is to honor any unsubscribe requests within ten days. So, yes, it is legal to send spam.
But legal action isn’t the only consequence of spamming. Today I received the following in an email from a colleague.

Watch those role accounts

Ben at Mailchimp has a post up explaining what role accounts are and why mailing to them can be a problem.

Tagged.com's newest trick

I signed up a disposable address at tagged.com last summer, to see how their signup process went and how aggressive they were at marketing.
They mailed me maybe a dozen times over the course of a month and then the mail stopped.
Until today.
Today I got two messages from tagged.com, one from Sophia C (33) and one from Melinda E (27). The messages are identical except for the names and some of the advertising on the bottom.
I find it a bit coincidental that after all the recent news about Tagged that I start getting mail from them again. Mail that is not from anyone I know. Mail attempting to entice me into logging back into the tagged site.

Social network spam

I’ve been seeing more and more social network spam recently, mostly on twitter. In some ways it’s even more annoying than email spam. Here I am, happily having a conversation with a friend and then some spammer sticks their nose in and tweets “myproduct will solve your problem!”
It’s happened twice in the last week.
In most recent example, I was asking my twitter network for some advice on pasta making. I’ve made pasta a few times, but it’s never been exactly right. Not having an Italian grandmother to ask, I was looking for someone with experience in pasta making to answer a few questions. I was having an ongoing conversation with a friend who was helping me troubleshoot my problems. He gave me his recipe to try to see if that would work better. I thanked him profusely and replied that I would give it a try but probably not tomorrow because it was accounting day and those tend to run late. Someone replied to that tweet suggesting I try some random accounting software to make my accounting easier.
Just… No.
Interjecting product ads in a conversation may be the “acceptable” and “best practice” way to market through social networking. But, I can promise that you’re no better the guy who interrupts conversations at parties so he can hand out business cards for his affiliate program selling herbal male enhancement drugs.
Don’t be That Guy.
Update: Today’s twitter spam was from one of the email accreditation services attempting to sell me their email delivery services.

Tagged.com and the courts

I’ve seen multiple reports of Tagged.com and their interactions on various sides of the courtroom aisle.
On the good side, Tagged.com won a judgment against a spammer sending spam to Tagged.com users. (Tagged has a post on their blog about the win, but the direct link to that article doesn’t work).
On the minus side, yet another ruling against tagged.com. They’ve been accused of sending spam, including some mail that looks like a phish. They recently settled in a CA court, agreeing to dispose of certain addresses collected during a 3 month period in 2009.

TWSD: Using FOIA requests for email addresses

Mickey has a good summary of what’s going on in Maine where the courts forced the Department of Inland Fisheries and Wildlife to sell the email addresses of license purchasers to a commercial company.
There isn’t permission associated with this and the commercial company has no pretense that the recipients want to receive mail from them. This is a bad idea and a bad way to get email addresses and is no better than spammers scraping addresses from every website mentioning “fishing” or “hunting.”

ESPs leaking email addresses

Two of my tagged email addresses started getting identical pharma spam over the weekend. It is annoying me because I am now getting spam in a mailbox that was previously spam free. The spam is overwhelming the real traffic and I am having to make some decisions about what to do with the email addresses and their associated accounts with the companies I gave them to.
One thing I did notice, though, is that both companies use iContact as their ESP. A cursory check of my other mailboxes shows that none of my other tagged addresses are mailed through iContact. I don’t think it’s very likely that these two individual, unrelated companies made deals with the same spammers to sell address lists at the same time. It’s much more likely that there was a compromise somewhere and address lists were stolen.
Edit: Checked my other account and, likewise, I’m getting the same spam to a 3rd address serviced by iContact. I’ve sent mail to all 3 companies involved and we’ll see how they react.
And, as I was thinking about this, iContact just laid off a bunch of staff about the same time they announced their partnership with Goodmail. Based on past history with companies in this situation, it seems possible this is a disgruntled former employee. I’ve also seen reports from other people noticing spam to addresses given to iContact customers.

Bad year coming for sloppy marketers

MediaPost had an article written by George Bilbrey talking about how 2010 could be a difficult year for marketers with marginal practices. George starts off the article by noticing that his contact at ISPs are talking up how legitimate companies with bad practices are causing them problems and are showing up on the radar.
This is something I talked about a few weeks ago, in a series of blog posts looking at the changes in 2010. The signs are out there, and companies with marginal practices are going to see delivery get a lot more difficult. George lists some practices that he sees as problems.

20M leads a month

Some back of the envelope calculations.

20M “opt-in” leads a month is roughly 650,000 leads a day.

Links for 1/15/10

A lot has happened this week.
Spammers and scammers are attempting to steal money from people attempting to donate money to those in earthquake devastated Haiti. A number of places, including CNN and CAUCE, are warning people who want to donate online to do so through trustworthy links. Don’t click on links in unsolicited emails nor on random websites.
AOL laid off most of their postmaster team. This is going to have a significant impact on sender support provided by AOL. The background chatter I’m hearing indicates that there is likely to be response delays of days to weeks for support tickets.
Pivotal Veracity was acquired by Unica, a marketing software company. Industry buzz says that PV will be run as a subsidiary and maintain their independent customer base.
Spamhaus launched a new website, which includes a link for a domain based URI blocklist. There’s not much information available about this new blocklist, but it’s likely to function similar to SURBL and URIBL.
The lethic botnet was penetrated and disabled. Dark Market, one of the large credit card number trading sites, was taken down and the proprietor arrested.

FBI indicts 19 for internet related fraud

A federal grand jury in Dallas returned an indictment this week charging 19 individuals with conspiracy to commit wire and mail fraud. 15 of the defendants are charged with email fraud. All in all, these defendants are accused of defrauding various companies, from telcos to web developers, of $15,000,000.

Important notification spammers break the law

I’m currently being inundated at multiple address with spam advertising spamming services. Most of these notices have the subject line: IMPORTANT NOTIFICATION. The text includes:

And the ugly…

Getting back to my series on the good, the typical and the ugly in the ESP field, and there is some very ugly out there. I have 3 examples of the ugliness out there and what ESPs and legitimate senders are competing with.
The fake ESP
A spammer approached me early on in my consulting career, asking me to help him set up a fake ESP. He wanted to set up his corporate network so that to an outsider it would look like he was selling ESP services and thus had a large number of customers. There wouldn’t be any customers, however, all the mail would be coming from his company. When the blocking got bad enough, and it would as he would purchase addresses from anywhere, he would “disconnect” the responsible customer. My role was to help him come up with a plausible sounding acceptable use policy and then contact the ISPs when he “disconnected” the customer. I declined to participate in this scheme. This doesn’t appear to have stopped him, though, if the rumors I hear are to be believed.
Waterfalling
Related to the fake ESP scheme is waterfalling. Spammers acquire lists of email addresses and then begin the process of cleaning them by mailing. In some cases, they mail through fake ESPs, as above. In other cases, they actually spread their traffic out across legitimate ISPs. As they mail the lists through the ESPs, they remove unsubscribes, bounces and complaints. When the list reaches a set cleanliness, they move it to another ESP. They repeat this, gradually moving through cleaner and cleaner ESPs. Eventually, they move the list to their own network and sell mailings to it as an opt-in list. It’s not opt-in, it’s just cleansed of all negative responders.
The companies abusing ESPs to clean their lists do tarnish the reputation of ESPs. While the responsible ESPs do disconnect the waterfallers, they usually do so after problems are detected. That being said, there are some companies that are constantly looking for “partnerships” at ESPs and the ESPs turn them away during the sales cycles.
Affiliates
While not necessarily an ESP problem there are some large companies out there that hire spammers to send acquisition email for them. They also send their own mail, both marketing and transactional, through ESPs. The issue for ESPs come when the URL blocks happen and the bad reputation of their customer’s mail bleeds back to the ESPs IP addresses. The ESP becomes known as “one of those places that mails for X” and their reputation falls accordingly. In some cases, even if the mail through the ESP is clean and opt-in, the ESP finds itself blocklisted for just doing business with a company that hires spammers.
I’ve had a couple clients recommended to me by ESPs because the ESP was dealing with a persistent spam block around this particular customer. The mail the customer sent through the ESP was opt-in, but the client was using an extensive network of affiliates to send spam for them. I collected a lot of examples of their spam from various affiliates, even gave them a couple of examples from my own email addresses. One of those addresses has not been actively used in 6 years. My client tells me they talked to their affiliates and that the affiliate assured them I had signed up, I just forgot. The client chose to believe the affiliate over me, despite the fact that I had many other examples. That client lost their ESP (and good for the ESP) but is still sending spam. I just got one advertising their stuff yesterday, at the same address I gave to them years ago, all images, hashbusters, domain hidden behind proxy, coming from a snowshoer network.
All of the companies I’ve talked about here describe themselves as legitimate email marketers. Even the company telling me I opted in to their mail was defending themselves and their affiliates as legitimate email marketers.

Time to step up

Neil Schwartzman reacts to yesterday’s link post.

Blocking of ESPs

There’s been quite a bit of discussion on my post about upcoming changes that ESPs will be facing in the future. One thing some people read into the post is the idea that ISPs will be blocking ESPs wholesale without any regard for the quality of the mail from that company.
The idea that ESPs are at risk for blocking simply because they are ESPs has been floating around the industry based on comments by an employee at a spam filter vendor at a recent industry conference.
I talked to the company to get some clarification on what that spam filtering company is doing and hopefully to calm some of the concerns that people have.
First off, and probably most important, is that the spam filtering company in question primarily targets their service to enterprises. Filtering is an important part of this service, but it also handles email archiving, URL filtering and employee monitoring. The target market for the company is very different than the ISP market.
The ISPs are not talking about blocking indiscriminately, they are talking about blocking based on bad behavior.
Secondly, this option was driven by customer request. The customers of the spam filtering appliance were complaining about “legitimate” mail from various ESPs. Despite being reasonable targeted the mail was unrequested by the recipient. While ESPs use FBLs and other sources of complaints to clean complainers off rented or epended lists at ISPs, the option is not available for mail sent to corporations. Enterprises don’t, nor should they have to, create and support FBLs. Nor should employees be expected to unsubscribe from mail they never requested.
This option is the direct result of ESPs allowing customers to send spam.
Thirdly, this option is offered to those customers who ask for it. It is not done automatically for everyone. The option is also configurable down to the end user.
While I haven’t seen the options, nor which ESPs are affected, I expect that the ones on the list are the ones that the filtering vendor receives complaints about. If you are not allowing your customers to send spam, and are stopping them from buying lists or epending, then you probably have not come to the attention of the filtering company and are not on the list of ESPs to block.

TWSD: keep spamming even when they say they'll stop

About a month ago I posted about receiving spam from a psychic attempting to sell me candles and stuff. The spammer was sending mail from a company called “Garden of Sound” using an ESP called OnLetterhead. A brief investigation led me to believe that unsubscribing from the mail was not going to do anything.
The post prompted an email from Scott B. the VP of Marketing of the company that is responsible for OnLetterhead. I replied to his email, pointing out a number of things he was doing that made his business look like an ESP front for spammers.
After he received my mail he called me to talk to me about the content of my post and the email and to assure me they were immediately implementing one of my suggestion (that they not put a generic “here’s how to unsubscribe” link on their 1000+ link domains, instead have those actually point to their AUP and corporate pages). He also assured me they took my complaint seriously and I would no longer be receiving email.
Guess what?
Garden of Sound is still spamming me from OnLetterhead. They’ve not even managed to implement the changes they pledged would be rolled out the same week as my blog post. Sure, the domain I’m getting spam from is different, the physical postal address is different, the product is different, the friendly from is different. But the preheader still says “this mail sent by Garden of Sound.” It’s all the same list, it’s all the same company, it’s all the same group of spammers.
Despite Scott’s attempt to convince me he wasn’t a spammer, it seems my initial impression was right. OnLetterhead is simply are a company attempting to look like they’re legitimate without actually taking any responsibility for the email going out from their network. They can’t even manage the bare minimum.
It’s companies like this that give the rest of ESPs a bad name.

Cyber Monday inundation

The cyber monday inundation of mail has hit my mailbox. There’s been a clear increase in marketing mail over the last week. Unfortunately for those marketers, it’s too much and I am just scanning subject lines and marking as read. I don’t have the time to read all this mail.

Legitimate email marketers need to take a stand

I was reading an article on Virus Rants and the opening paragraph really stood out.

I don't have a "this is spam" button

Here at Word to the Wise we have some unique requirements for mail. For instance, I need to be able to receive examples of emails that are being blocked elsewhere in order to do my job. This means not only do we not outsource mail to someone else, we also run limited spam filtering on the server side. It does mean I have to wade through a bit more spam than others do, but that’s generally not a problem. My client side filters do a decent job at keeping most of the crud out of my mailboxes.
My work account gets very little spam in the folder I use as my inbox. I’m not even sure exactly why this is, but it’s true. One of the exceptions is a psychic (no, really) who has a copy of one of my work email addresses and she regularly spams me offering her spiritual guidance and the opportunity to buy her stuff in order to make peace within my world. I’ve received these before, usually I just delete them and move on.
Occasionally, though, I long for the ease of a “this is spam” button. Just to be able to hit a single button, no work, no effort and know that I have registered my frustration with a spammer. Today was one of those days. I really don’t want this psychic spam in my mailbox. It seems reasonably professionally done, though, so I check the headers to see if it’s being send from any ESP I know and if it’s worth my time to send in a “hey, didn’t sign up for this, and no, I didn’t forget, either” email.
I visited the website belonging to the domain sending the mail.

A blast from the past

I’m sitting here watching Iron Chef (the real one, not the American version) and surfing around on SFGate.com. It’s a slow night catching up on all the news I’ve missed this week while off traveling. I see a link on the front page: “Web marketer ordered to pay Facebook $711M.” As I click I wonder if I know the web marketer in question. A former client? A name I recognize?

Who are you and why are you mailing me?

I’ve mentioned here before that I use tagged addresses whenever I sign up for. This does help me mentally sort out what’s real spam and what’s just mail I’ve forgotten I’ve signed up for.
Yesterday, I received and email from e-fense.com thanking me for my interest in their new product. The mail came to a tagged address, but not a tag that I would have given to e-fense.com. Their opening paragraph said:

TWSD: My lunch is not spam

My ISP information page occasionally gets trackback pings from various blog posts. This week one of the trackbacks was from a blog post titled “One man’s Spam is another man’s lunch.” The theme of the blog post was that email marketers are poor, put upon business people that have to contend with all sorts of horrible responses from recipients, spam filtering companies and ISPs.
Since the poster took the time to link to my blog, I thought I’d take the time to look in detail at his post and talk about how likely it is to work.

Suppressing email addresses: it's good for everyone

Every sender, big or small, should have the ability to suppress sending to any particular email address. They must, absolutely, be able to stop sending mail to anyone for any reason. Not only is this a legal requirement in every jursidiction that has laws about email marketing, it’s just good business sense.
What happens when marketers fail to be able to suppress email addresses? At some point they’re going to mail someone who gets annoyed enough with them to make it public that they are too incompetent to run an email program.
This happened to the folks over at spamfighter.com recently. They have been spamming Neil Schwartzman (spamfighter, Executive director of CAUCE North America, Director of Standards and Certification at ReturnPath) since somewhere in 2007. Yes, really, 2007. Neil has asked them politely to stop spamming him. He’s explained he’s not actually using their software. They appear to be incapable of running a suppression list, despite telling him 3 times that they have removed his address.
Showing much more restraint than I would have with a sender who couldn’t stop sending me email, Neil gave them years to fix their process before blogging about his experiences. Instead of fixing their broken process they instead responded to his blog post insisting their mail wasn’t spam because they weren’t sending Viagra mail or 3rd party offers.
We can argue about the definition of opt-in, we can argue about whether registration is permission, we can argue about a lot of things, but when the recipients says “stop sending me email” and a sender says “we’ll stop sending you email” and then fails to actually stop sending email I think the recipient is fully justified in calling the email spam. Sorry spamfighter.com, your process is broken and your inability to fix it 2 years after the brokenness was brought to your attention does not give anyone a good impression.
Every email sender should have the ability to stop sending mail to recipients. If that’s not currently possible with your technology, it should be a very high development priority.

Defining spam

This is a post I’ve put off for a while as the definition of spam is a sticky subject. There are online fora where the definition of spam has been debated for more than 10 years, and if there isn’t a working definition after all that time, it’s unlikely there will ever be a definition the participants can agree on.
This came up again recently because one of the comments on my “Reputation is not permission” post took me to task for daring to call the mail “spam.” I’m going to assert here that the mail was unsolicited bulk email. I did not ask for it and I know at least 4 other people that received it.
The commenter, and a few marketers, argue that if the mail is sent without any forgery and the mail contains an opt-out link then it is not spam. It is a definition I have only seen folks who want to send unsolicited bulk email use, however. What they are really arguing is their mail isn’t spam because they provide a valid return address and a way to opt-out. Few people actually agree with this definition.
Here are 10 of the many definitions of spam that I’ve seen.

Registration is not permission

“But we only mail people who registered at our website! How can they say we’re spamming?”
In those cases where website registration includes notice that the recipient will be added to a list, and / or the recipient receives an email informing them of the type of email they have agreed to receive there is some permission involved. Without any notice, however, there is no permission. Senders must tell the recipient they should expect to receive mail at the time of registration (or shortly thereafter) otherwise there is not even any pretense of opt-in associated with that registration.
Take, for example, a photographers website. The photographer took photos at a friend’s wedding and put them up on a website for the friend and guests to see. Guests were able to purchase photos directly from the site, if they so desired. In order to control access, the photographer required users to register on the site, including an email address.
None of this is bad. It’s all standard and reasonably good practice.
Unfortunately, the photographer seems to have fallen into the fallacy that everyone who registers at a website wants to receive mail from the website as this morning I received mail from “Kate and Al’s Photos <pictage@pictage.example.com>.” It includes this disclaimer on the bottom:

Sharing content, sharing reputation

Over at SpamResource Al talks about how sharing content is like sharing needles.

How reputation and content interact

Recently, one of my clients had a new employee make a mistake and ended up sending newsletters to people in their database that had not subscribed to those particular newsletters. This resulted in their recipients getting 3 extra emails from them. These things happen, people fat-finger database queries or aren’t as careful with segmentation as they should be.
My clients were predictably unhappy about sending mail their users hadn’t signed up for and asked me what to do to fix their reputation. I advised they not do anything other than make sure they don’t do that again. The first send after their screw-up had their standard 100% inbox delivery. The second send had a significant problem with bulk foldering at Hotmail and Yahoo. The third send had their standard 100% inbox delivery.
So what happened on the second send? It appears that on that send they had a link or other content that “filled the bucket.” Generally, their IP reputation is high enough that content isn’t sufficient to send their mail into the bulk folder. However, their reputation dipped based on the mistake last week, and thus the marginal content caused the bulk foldering.
Overall, these are senders with a good reputation. Their screw up wasn’t enough to damage their delivery itself, but may have contributed to all their mail going into the bulk folder the other day. I expect that their reputation will rebound quickly and they will be able to send the same content they did and see it in the inbox.

Compliance vs. Deliverability

Most people I know handling delivery issues for senders have some version of delivery or deliverability in their job title. But as I talk to them about what they do on a daily basis, their role is as much policy enforcement and compliance as it is delivery. Sure, what they’re telling customers and clients is how to improve delivery, but that is often in the context of making customers comply with relevant terms and conditions.
Some delivery folks also work the abuse desk, handling complaints and FBLs and actually putting blocks on customer sends.
I think the compliance part of the delivery job description that is often overlooked and severely downplayed. No one likes to be the bad guy. None of us like handling the angry customer on the phone who has had their vital email marketing program shut down by their vendor. None of us like the internal political battles to convince management to adopt stricter customer policies. All of these things, however, are vital to delivery.
Despite the lack of emphasis on compliance and enforcement they are a vital and critical part of the deliverabilty equation.

Marketing to businesses

“If you do stupid things, you’re going to get blocked,” says Jigsaw CEO Jim Fowler in an interview with Ken Magill earlier this week.
Jigsaw is a company that rewards members to input their valuable business contacts. Once the addresses are input into Jigsaw, they are sold to anyone who wants them. Jigsaw gets the money, the people providing information get… something, the people who provided business cards to Jigsaw members get spammed and the people who downloaded the lists get to deal with a delivery mess. Sounds like a lose for everyone but Jigsaw.
Except that now Jigsaw is listed on the SBL for spam support services. Well, that’s going to cause some business challenges, particularly given how many companies use the SBL as part of their filtering scheme.
It’s hard to think of a situation where I would appreciate someone I gave a business card to providing my information to a site that then turns around and lets anyone download it to send email to. I know, I know, there are a million companies out there I’ve never heard of that have The Product that will Solve All my Problems. But, really, I don’t want them in my work mailbox. The address I give out on my business cards is, for, y’know, people to contact me about what I’m selling or to contact me about things they’ve already purchased from me. That address is not for people to market to. I have other addresses for vendors, and even potential vendors, to contact me.
Jigsaw clearly facilitates spam to businesses by collecting email addresses and then selling them on. This is a drain on small businesses who now have inboxes full of valuable offers to wade through. Perhaps their stint on the SBL will make them reconsider their spam support services.
HT: Al

Links for 9/2/09

People are still talking about the White House spamming. At Al Iverson’s Spam Resource there are two posts, one from Jaren Angerbauer titled Guest Post: Email and the White House and another from Al himself titled White House Spam, Signup Forgery, and GovDelivery. Both are insightful discussions of the spam that the White House has been sending. Over at ReturnPath, Stephanie Miller talks about how the publicity surrounding the spam is great PR for permission.
Stefan Pollard has an article at ClickZ looking at how an apology email in response to a recipient visible email mistake can actually make the fallout worse.
Web Ink Now documents one recipient’s experience with a bad, but all too common, subscription practice.
==
Don’t forget to participate in the DKIM implementation survey. For ESPs. For ISPs. Check back next week for results.

Email as a PR problem

Email is a great way to connect to and engage with people. It is also a medium where the sender doesn’t get to control the message as well as they might in other media. This means that sometimes email campaigns go wrong in a way that drives a national news story about how you are a spammer.
In the stress and flurry of dealing with public accusations of spamming many companies overlook the fact that the underlying issue is they are sending mail that the recipients don’t want or don’t expect. If there is a public uproar about your mail as spam, then there is a good chance something in your email strategy isn’t working.
Even in the recent White House as spammers strategy, there is a strong chance that they are actually using reasonable and industry standard methods to collect email addresses. However, in their case, they are a large target for people to forge email addresses in forms. “Bob doesn’t like the president, but I’ll sign him up for this list so he can learn how things really are.” or “Joe doesn’t like the democrats so I’ll sign him up for their mailings just to piss him off.”

When you are confronted with an email campaign that upsets a large number of people there are a number of steps you should take.
Step 1: Gather information
This includes information internally about what actually happened with the campaign and information from the people who are complaining.
Externally: Get copies of the emails with full headers. If you’re working with people who do not want to reveal any details of the mail they received then you may not be able to fully investigate it, but if they do you will have everything you need right there. Figure out where their address came from (you do have good audit trails for all your email addresses, right?).
Internally: Talk to everyone who worked on that particular campaign. This includes the geek down in the IT department who manages the database. Figure out if anything internally went wrong and mail was sent to people it wasn’t intended for. I know of at least 2 cases where a SQL query was incorrectly set up and the unsubscribe list was mailed by accident.
Step 2: Identify the underlying problem
Look at all the available information and identify what happened. Was there a bad source of email addresses? Did someone submit addresses of spamtraps to a webform? Was there a technical problem? Again, talk to your people internally. In many companies I have noticed a tendency to try and troubleshoot problems like this at very high levels (VP or C-level executives) without involving the employees who probably know exactly what happened. This sometimes leads to mis-identifying the problem. If you can’t identify it, you can’t fix it.
Step 3: Identify the solution
Once you know what the problem was, you can work out a solution. Sometimes these are fairly simple, sometimes not so much. On the simple end you may have to implement some data hygiene. On the more complex end, you may need to change how data is handled completely.
Step 4: Inform the relevant parties of the solution
Make a statement about the problem, that you’ve identified it and that you’ve taken steps to fix it. How you do this is a little outside my area of expertise, although I have participated in crafting the message, rely on your PR folks on how to communicate this. In the Internet space, honesty is prized over spin, so do remember that.
Every company is going to have the occasional problem. In the email space, that tends to result in the company being labeled a spammer. Instead of being defensive about the label, use the accusation to drive internal change to stop your mail from being labeled spam by the recipients.

Spam that's not spam

Steve and I were talking this evening and I mentioned to him that I got “a lot of spam that wasn’t really spam. Know what I mean?”
He did. But if I tell that to you, what does it mean to you?
More on this in a couple days, but I’m onsite at a client’s for the next few days so it may take me a plane ride home to put all the thoughts down.

Beware: Phishing and Spam in Social Networks

Trend Micro warns us today about how spam and phishing can hit you even in the closed ecosystem of a social networking system such as Facebook. Malware abounds. And in the social network arena, just like anywhere else, “using your account to send spam” is a common thing for the bad guys to want to do.
In Rik Ferguson’s investigation (which I read about on CNet News), he came across a link to a URL that asked for his Facebook credentials, supposedly necessary to allow installation of a specific Facebook application. Once the credentials were handed over, the app immediately spammed all of his Facebook friends, sending them a bogus notification, attempting to draw them into visiting the phishing/malware URL, with (one assumes) the hope of spreading the infection even wider.
He’s a researcher for Trend Micro, so he knows what he’s doing. But for the rest of us, this highlights how necessary it is to be careful with who you give your usernames and passwords to. In my opinion, it’s never safe to take your username and password from one site and hand it over to another site. Some social networking make the problem even worse by blurring the lines between safe and unsafe by asking for usernames and passwords to third party accounts, but you just can never know with 100% certainty which sites are legitimate and which ones aren’t.
— Al Iverson

White House sending spam?

There has been some press about political spam recently. People are receiving email from the White House that they have not opted into. At a recent press conference a reporter challenged the press secretary to defend the practice.
Chris Wheeler over at Bronto blog points out that CAN SPAM doesn’t apply as this is political mail, and CAN SPAM only covers commercial email. He also notes that most of the mail came from “forward to a friend” links which the sender has little to no control over.
Gawker has a post up “Everything you need to know about Obama’s Spam-Gate.”
There are a lot of issues here. Chris asks a number of questions on his blog, that I encourage people to think about.

Contact addresses and spam

One of the challenges anyone doing business on the internet faces is how to provide contact information so that potential customers can reach you in a form that spammers can’t easily abuse. Contact forms are the classic method, but they can (and are) abused by spammers. We decided to try something different. About 2 months ago, we started using rotating contact addresses. Every day a new address is deployed on the contact form on our website. Each address is valid for a fixed period of time, and is then retired.
This seems to be working well for us. Spammers are harvesting the email addresses, but because they are only valid for a fixed period of time, the amount of spam in my mailbox is not overwhelming. I am spending less time searching for sales mails through spam. An interesting side effect is I can actually see who is harvesting addresses and spamming.
It’s not perfect, I’m still getting spam to that address. But it’s spam at a level where I’m not losing real mail.

Spam judgment not covered by insurance

Earlier this month a judge ruled that two insurance policies held by Scott Richter’s Media Breakaway were not liable to pay $6M in damages awarded in a previous case.
Myspace initially sued Media Breakaway in 2007 for allegedly using phished Myspace accounts to send emails advertising Media Breakaway websites. In summer 2008 and arbiter ruled in favor of Myspace and against Media Breakaway. After the ruling, Media Breakaway attempted to have insurance cover the fine. The insurance company denied the claims so Media Breakaway took them to court. Media Breakaway lost.
Scott has been around in the email marketing arena for a very long time. He’s had multiple run ins with the law, including a 2003 felony theft charge for stealing a number of things, including a Bobcat loader and a 2004 suit brought against him by the NY Attorney General’s office and Microsoft for spamming and deceptive advertising. That court case bankrupted his previous company, OptInRealBig. Scott has also appeared on the Daily Show, in a side-splittingly funny story about spam and email marketing…. er… high volume email deploying.

12% of email recipients respond to spam

Twitter and some of the other delivery blogs are all abuzz today talking about the consumer survey released by MAAWG (pdf link, large file) looking at end user knowledge and awareness of email security practices.
The survey has a lot of good data and I strongly encourage people to look at the full report. There are a couple of results that are generating most of the buzz, including the fact that nearly half of the respondents have clicked on a link or replied to a spam email. Additionally, 17% of respondents said they made a mistake when they clicked on the link.
The magic statistic, though, is that 12% of the respondents said that they responded to spam because they were interested in the products or services offered in the spam. This, right there, is one of the major reasons why spam continues and is a growing problem. Out of 800 people surveyed, almost 100 of them were interested enough in the products sold by spam to respond positively. There are roughly 1.6 billion people on the Internet, which gives spammers a market of 200 million people for their spam.
Other studies have seen similar responses, that is consumers do respond to spam. Most surveys don’t define spam, however, and given a lot of consumers call “mail I don’t like” or “all commercial email” as spam it’s hard to know what the respondents are responding too. In some studies, some respondents even defined mail from companies that they had given their email address to, but had not explicitly asked for email from as spam. In this study MAAWG did request how the respondent defined spam. Of the respondents, 60% say spam is mail they did not solicit, and 41% say spam is mail that ends up in the spam folder. Given that 60% of respondents define spam as “unsolicited email” it is possible that some people are responding to mail they never requested.
Sad news for those of us who were hoping that lack of consumer response would make spamming unprofitable enough that spammers would stop.
The crosstab between “how do you define spam” and “how do you react to spam” may be an interesting data set to see.

Unsubscribe rates as a measure of engagement.

Over at Spamtacular Mickey talks about the email marketers’ syllogism.

Anyone who doesn’t want our mail will opt-out.
Most people don’t opt-out.
Therefore, most people want our mail.

This clearly fallacious reasoning is something I deal with frequently with my clients, particularly those who come to me for reputation repair. They can’t understand why people are calling them spammers, because their unsubscribe rates and complaint rates are very low. The low complaints and unsubscribes must mean their mail is wanted. Unfortunately, the email marketers’ syllogism leads them to faulty conclusions.
There are many reasons people don’t opt-out of mail they don’t want. Some of it may be practical, the mail never hits their inbox, either due to ISP level filters or their own personal filters. Some people take a stance that they do not opt out of mail they did not opt-in to and if they don’t recognize the company, they won’t opt-out.
In any case, low levels of opt-outs or even this-is-spam hits does not mean that recipients want that mail. The sooner marketers figure this out, the better for them and their delivery.

Winning friends and removing blocks

I do a lot of negotiating with blocklists and ISPs on behalf of my clients and recently was dealing with two incidents. What made this so interesting to me was how differently the clients approached the negotiations.
In one case, a client had a spammer slip onto their system. As a result the client was added to the SBL. The client disconnected the customer, got their IP delisted from the SBL and all was good until the spammer managed to sweet talk the new abuse rep into turning his account back on. Predictably, he started spamming again and the SBL relisted the IP.
My client contacted me and asked me to intercede with Spamhaus. I received a detailed analysis of what happened, how it happened and how they were addressing the issue to prevent it happening in the future. I relayed the info to Spamhaus, the block was lifted and things are all back to normal.
Contrast that with another client dealing with widespread blocking due to a reputation problem. Their approach was to ask the blocking entity which clients they needed to disconnect in order to fix the problem. When the blocking entity responded, the customer disconnected the clients and considered the issue closed. They didn’t look at the underlying issues that caused the reputation problems, nor did they look at how they could prevent this in the future. They didn’t evaluate the customers they disconnected to identify where their processes failed.
The first client took responsibility for their problems, looked at the issues and resolved things without relying on Spamhaus to tell them how to fix things. Even though they had a problem, and is statistically going to have the occasional problem in the future, this interaction was very positive for them. Their reputation with the Spamhaus volunteers is improved because of their actions.
The second client didn’t do any of that. And the people they were dealing with at the blocking entity know it. Their reputation with the people behind the blocking entity was not improved by their actions.
These two clients are quite representative of what I’ve seen over the years. Some senders see blocking as a sign that somehow, somewhere there is a flaw in their process and a sign they need to figure out how to fix it. Others see blocking as an inconvenience. Their only involvement is finding out the minimum they need to do to get unblocked, doing it and then returning to business as usual. Unsurprisingly, the first type of client has a much better delivery rate than the second.

TWSD: Run, hide and obfuscate

Spammers and spamming companies have elevated obfuscating their corporate identities to an artform. Some of the more dedicated, but just this side of legal, spammers set up 3 or 4 different front companies: one to sell advertising, one or more to actually send mail, one to get connectivity and one as a backup for when the first three fail. Because they use rotating domain names and IP addresses all hidden behind fake names or “privacy protection services”, the actual spammer can be impossible to track without court documents.
One example of this is Ken Magill’s ongoing series of reports about EmailAppenders.
Aug 5, 2008 Ouch: A List-Purchase Nighmare
Sept 9, 2008 Umm… About EmailAppenders’ NYC Office
Sept 15, 2008 E-mail Appending Plot Thickens
Nov 11, 2008 EmailAppenders Hawking Bogus List, Claims Publisher
Dec 23, 2008 Internet Retailer Sues EmailAppenders
Feb 1, 2009 EmailAppenders Update
Mar 10, 2009 Another Bogus E-mail List Claimed
April 14, 2009 EmailAppenders a Court No-Show, Says Internet Retailer
April 21, 2009 EmailAppenders Gone? New Firm Surfaces
May 5, 2009 EmailAppenders Back with New Web Site, New Name
Their actions, chronicled in his posts, are exactly what I see list providers, list brokers and “affiliate marketers” do every day. They hide, they lie, they cheat and they obfuscate. When someone finally decides to sue, they dissolve one company and start another. Every new article demonstrates what spammers do in order to stay one step ahead of their victims.
While Ken has chronicled one example of this, there are dozens of similar scammers. Many of them don’t have a persistent reporter documenting all the company changes, so normal due diligence searches fail to turn up any of the truth. Companies looking for affiliates or list sources often fall victim to scammers and spammers, and suffer delivery and reputation problems as a result.
Companies that insist on using list sellers, lead generation companies and affilates must protect themselves from these sorts of scammers. Due diligence can be a challenge, because of the many names, domains and businesses these companies hide behind. Those tasked with investigating affiliates, address sources or or mailing partners can use some of the same investigative techniques Ken did to identify potential problems.

What Mark Said

Mark Brownlow skewers the arguments from opt-out proponents. A definite must read.

Three ways spammers get your address

Paul explains 3 ways spammers get your email address.

Fake privacy policies

I sign up at a lot of websites and liberally spray email addresses across the net. These signups are on behalf of one customer or another and each webform gets its own tagged and tracked email address. I always have a specific goal with each signup: getting a copy of a customer’s email, checking their signup process, auditing an affiliate on behalf of a customer or identifying where there might be a problem in a process. Because I have specific goals, I am pretty careful with these signups and usually uncheck every “share my email address” box I can find on the forms.
In every case the privacy policies of my clients and the things they tell me are explicit in that addresses will not be shared. It’s all opt-in, and email addresses are not shared without permission. Even in the cases where I am auditing affiliates, my clients assure me that if I follow this exact process my address will not be shared. Or so the affiliates have assured them.
Despite my care and the privacy policies on the websites, these addresses occasionally leak or are sold. This is actually very rare, and most of the websites I test never do anything with my address that I don’t expect. But in a couple cases these email addresses have ended up in the hands of some hard core spammers (hundreds of emails a day) and there was no useful tracking I could do. In other cases the volume has been lower, and I’ve watched the progression of my email addresses being bought and sold with morbid fascination.
Today an address I signed up at a website about a year ago got hit with multiple spams in a short time frame. All came from different IPs in the same /24. All had different domains with no websites. Whois showed all the domains were registered behind a privacy protection service. Interestingly, two of the domains used the same CAN SPAM address. The third had no CAN SPAM address at all. None of these addresses match the data I have on file related to the email signup.
It never ceases to amaze me how dishonest some address collection outfits. Their websites state clearly that addresses will not be bought an sold, and yet the addresses get lots of spam unrelated to the original signup. For those dishonest enough to do this they’ll never get caught unless recipients tags and tracks all their signups. Even worse, unless their partners test their signups or their mailing practices, the partners may end up unwittingly sending spam.

Organizing the mail flow

I get a lot of email. On a typical day I will get close to 2000 messages across my various work and personal accounts. About 60 – 70% of that mail is spam and caught by spamassassin or my mta filters and moved into mailboxes that I check once a day for false positives. About 15 – 10% of the remaining mail is from various discussion lists, and those are all sorted into their own mailboxes so I can keep conversations straight. The rest of the email is divided between mail directly to me and various commercial lists I have opted in to.
Up until recently, the commercial mail was all just dumped into my inbox. Nothing special happened to it it just sat there until I could read it. Recently, however, the volume of commercial mail has exploded, swamping my inbox. After losing track of some critical issues, I sat down and fixed my mail filters. Now, all my commercial and marketing mail (ie, mail I signed up for with tagged addresses) is now being filtered into its own mailbox.
There are two takeaways here.
One: the volume of commercial mail has increased significantly. Companies who were previously mailing me once a month are now mailing me twice a week. This contributed to the clutter and resulted in me pushing all commercial mail out of my inbox. I don’t think this increase is limited to just my mailbox, I believe many recipients are seeing an increase in commercial and marketing email, to the point where they’re finding it difficult to keep up with it all.
Two: Recipients have a threshold over which too much email makes their mailbox less usable. Once this threshold is reached they will take steps to change that. In my case, I can just filter all the commercial email as I use tagged addresses for all my signups. In other cases, they may start unsubscribing from all the mail cluttering their mailbox or blocking senders.
It is the tragedy of the commons demonstrated on a small scale.

Delivery lore

(Image from Bad Astronomy)
Almost every delivery consultant, delivery expert or deliverability blog offers their secrets to understanding spam filters. As a reader, though, how do you know if the author knows what they’re talking about? For instance, on one of the major delivery blogs had an article today saying that emails with a specific subject line will not get past spam filters.
This type of statement is nothing new. The lore around spam filters and what they do and do not do permeates our industry. Most of the has achieved the status of urban legend, and yet is still repeated as gospel. Proof? I sent an email with the subject line quoted in the above blog post to my aol, yahoo, gmail and hotmail accounts. Within 3 minutes of sending the email it was in the inbox of all 4 accounts
I can come up with any number of reasons why the email ended up in my inbox, rather than being caught by spam filters as the delivery expert originally claimed. But none of those reasons really matter. The expert in question is spreading delivery lore that is demonstrably false. Emails with that subject line will get through spam filters. I even added an extra 4 exclamation points in the subject line.
Not all delivery lore is true. In fact, most lore involving “always” “all” “never” or “none” is not going to be true. Just because you read it on the internet, and because it came from someone claiming to know what they’re talking about does not absolve individual senders from critically thinking about the information.

Jon Leibowitz: New FTC chair

Jon Leibowitz is slated to be appointed the new chair of the FTC as reported by Bloomberg and CNet. This may mean tougher regulations online. In the past Mr. Leibowitz has advocated that online advertisers move to opt-in for website cookies. This may signal his intention to put more control in the hands of the consumer. According to Bloomberg, Mr. Leibowitz has also “advocated more aggressive enforcement by the FTC.” We may see more CAN SPAM prosecutions as a result.

Brand name spam

I’ve been getting a lot more spam advertising name brand companies. Places like FTD Flowers, Seattle Coffee Direct, Wal-Mart, Jet Blue, Gevalia and VistaPrint seem to all be working with spammers. In some cases, I am getting the same email to different email addresses from different domains and different IP addresses.
I am sure, if asked, all the advertised companies would say they have no knowledge of spamming by their vendors. I’m sure they would say that their vendors tell them I opted in to the email and must have just forgotten. I am sure that this isn’t really spam.
Except it really is spam. Real companies with real brands do use the services of spammers. When caught they loudly protest their innocence and talk about rogue affiliates. In the best cases they will “fire” the affiliate and then look the other way when the affiliate signs back up.
Spam is sending mail to people who never requested it. Hiring someone to do it for you doesn’t mean you aren’t a spammer. With the economy tanking and companies trying to maximize their bottom line, more and more name brands seem to be jumping on the spam bandwagon. It is not an unexpected development, but it will mean more aggressive spam filtering and more difficult email delivery for everyone.

Question from the comments

On yesterday’s post there is a question in the comments that I think needs a bit more discussion.

The unexpected email

In almost every discussion of “how to stop spam” someone will come up with the idea that if a recipient only allowed known people to send them email then the spam problem would be solved. There are lots of problems with this type of solution, but one of the biggest is that it ignores that sometimes the unexpected email is wanted. Typically, these unexpected but wanted emails is from an old friend or contact. But sometimes, the unexpected email can actually look like unsolicited bulk email and yet be wanted.
I actually received one of those emails today. The folks at http://schmap.com found my flickr stream and sent me email asking me for permission to use a couple of my photos in their London city guide. Completely unexpected, but very welcome email.
Sometimes, in the struggle to keep email useful and to keep spam out of the inbox, we forget how useful and wanted that unexpected email can be.

TWSD: breaking the law

I tell my clients that they should comply with CAN SPAM (physical postal address and unsubscribe option) even if the mail they are sending is technically exempt. The bar for legality is so low, there is no reason not to.
Sure, there is a lot of spam out there that does not comply with CAN SPAM. Everything you see from botnets and proxies is in violation, although many of those mails do actually meet the postal address and unsubscribe requirements.
One of my spams recently caught my eye today with their disclaimer on the bottom: “This email message is CAN SPAM ACT of 2003 Compliant.” The really funny bit is that it does not actually comply with the law. Even better, the address it was sent to is not published anywhere, so the company could also be nailed for a dictionary attack and face enhanced penalties.
It reminds me of the old spams that claimed they complied with S.1618.

Just Leave Me Alone Already

I tend to avoid online sites that require you to register and provide information including email addresses. In my experiences companies cannot resist sending email and my email load is extremely heavy and I want less email, not more. Sometimes, though, what I need to do requires an online registration and giving an email address to a company I would really prefer not to have it.
Recently, I had to register online with AT&T Wireless. My iPhone was getting repeated text spams and I wanted it to stop. The only way to do this is register online. Registering online required giving them an email address.
The text spam has stopped, but they have been sending me almost daily emails since then. Each email has an opt-out, and I have availed myself of every opportunity to opt-out. Each opt-out link takes me to a different site, a different page, a different process.
In two of the cases, AT&T seems to be violating the new CAN SPAM provisions. For one, I had to tell them what I wanted to opt-out of (email or phone) and then was taken to a page where I had to input my cell number, my email address and request to be removed. In another case, I was forced to login to my online wireless account and then was able to change preferences. In only one of the 3 opt-outs I have requested, was the opt-out form actually a single click, just requiring my email address.
I am wondering just how many mailing lists AT&T added my address to and how often they will continue sending me mail after their 10 days are up. It is this level of frustration, that mail just keeps coming and coming and coming even after the recipient has repeatedly attempted to opt-out, that causes people to hit the “this is spam” button on mail that the sender thinks is opt-in.
But, really, AT&T, please stop sending me mail that I never asked for, and that I have repeatedly asked you to stop sending me by jumping through your hoops. Oh, and you may consider sharing the opt-out data with all the same internal groups that you shared my email address with initially.

McColo goes offline

Last week a major player in the botnet arena was taken offline when they were shutdown by their upstream provider. With the demise of McColo, there has been a 30 – 50% drop in the amount of spam as measured by any number of different techniques. The CBL team has posted an article about their view of the McColo disconnection, which includes links to press articles about the shutdown. Spamhaus has their own take on the shutdown and another collection of links to articles about the shutdown.
In my own mailbox, I have noticed a drastic decrease in the amount of spam over the last week. I am too jaded to expect that the change is permanent, but it is nice while it lasts.

Monitoring customers at ESPs

In the past I’ve talked about vetting clients, and what best effort encompasses when ESPS try to keep bad actors out of their systems. But what does an ESP do to monitor clients ongoing? Al Iverson from ExactTarget says that they:

McCain Campaign Spamming

As I mentioned in my post on spam from the Obama campaign, there have been reports of spam coming from the McCain campaign. However, the McCain campaign does not seem to be sending the volume of mail that the Obama campaign is, and so they are not as visible.
A recent post over at Denialism Blog shows that the McCain campaign has some of the same problems as the Obama campaign. Chris talks about the unsubscribe options he is presented when trying to stop the spam he is receiving. He suggests the campaign adds another option:

Email and the Obama Campaign

Late in the summer there were people talking about the spam coming from Senator Obama’s presidential campaign. At that time, most of the discussion was focused on the open subscription form on their website and that there were some individuals who had been fraudulently signed up and were now receiving email from the campaign.
Last week, the Senator’s campaign again became a topic of discussion among some anti-spam groups. The maintainer of one of the more respected public blocklists and members of his family received mail from Senator Obama’s presidential campaign at their personal addresses. Because the mail was unsolicited and met the qualifications for listing, the sending IP addresses were listed on the blocklist. In response, the campaign’s ESP started moving the Senator’s mail to other IP addresses, resulting in those IPs also being listed on the blocklist as well.
I talked with the blocklist maintainer and I believe that his address, and those of his family members, were added to the Senator’s mailing list as the result of an email append. All of them are registered Democrats and they all live in a battleground state.
This may have made for good campaign strategy, not being an expert I cannot comment on that. It is, however, very poor email marketing strategy.
First, the campaign decided to appropriate permission to send email. There is not ever permission associated with an email append. Just because you have a name and a street address does not mean that you have permission to send email. In very, very limited circumstances, an opt-in append (click here to continue receiving email) may be acceptable. However, that is not how appending is normally done.
There is no pretense of permission to send email. Just because someone is registered to a particular party does not mean they want to receive email from that party.
Second, when the campaign started seeing delivery problems they started sending off different IP addresses. Moving IPs around is out and out spammer behavior, no questions asked.
Now, I know this is a very hotly contested election and I know that some people believe that any method of getting the word out is good. I also expect that there may have been some positive reaction from recipients. The overall reaction, based on the IPs changing, may not have been so positive.
Do I really believe that Senator Obama is a evil and willful spammer? No, not really. But that does not change the fact that the Obama campaign seems to be sending email without the permission of the recipient and seem to be attempting to evade blocks by moving IP addresses.
From a marketing perspective, the campaign may be using email effectively and doing everything right. But from an email delivery perspective, they are getting many, many of the basics wrong and are looking like spammers in the process.
Other news and blogs that talk about spam from the Obama campaign:

Alphabetical spammers

There have been a couple posts recently about a paper presented at the Fifth Conference on Email and Spam (CEAS). The paper showed how addresses beginning with different letters get different volumes of spam.
But this post is not really about the paper, although it is an interesting academic review of spam, it is more about a memory that the discussions triggered.
Long ago I was handling the abuse desk at the very large network provider. This was in the days before Feedback loops, so every complaint was an actual forwarded email from a recipient. Generally, we saw a couple dozen complaints about any individual spam problem. Not a huge volume by any means, but that meant that any volume of complaints was significant.
One afternoon I started seeing a spike in complaints about a customer who never received complaints before. I started looking a little deeper and discovered we had around 50 complaints about this mailing, many from people I knew, and all from individuals at domains that started with A. This was one of the few times we actually pulled the plug in the middle of a mailing.
I still remember going to my boss suggesting this was something to take action on now because we had over 50 complaints and they were still in the A‘s! The customer was mortified that the guaranteed opt-in list they purchased was so bad and promised never to spam again.
Have a good weekend everyone.

SpamZa: corrupting opt-in lists, one list at a time

A number of ESPs have been tracking problematic signups over the last few days. These signups appear to be coming from an abusive service called SpamZa.
SpamZa allows anyone to sign up any address on their website, or they did before they were unceremoniously shut down by their webhost earlier this week, and then submits that address to hundreds of opt-in lists. This is a website designed to harass innocent recipients using open mailing lists as the harassment vehicle.
Geektech tested the signup and received almost a hundred emails 10 minutes after signing up.
SpamZa was hosted on GoDaddy, but were shut down early this week. SpamZa appears to be looking for new webhosting, based on the information they have posted on their website.
What does this mean for senders?
It means that senders are at greater risk for bad signups than ever before. If you are targeted by SpamZa, you will have addresses on your list that do not want your mail. Some of those addresses could be turned into spam traps.

Political Spam

At Adventures in Email Marketing, there is a post up this morning about political spam. It seems Anna discovered that providing her email address on her voter registration card not only results in political groups sending her email to that address, but also that political email does not have to follow the rules of CAN SPAM. The article ends with a few questions and makes some suggestions.

Verifying email addresses

Over at CircleID Aviram Jenik posts about using email addresses as identification and how that can go horribly wrong if the website does no verification. In his case, the problem is a user who has made a purchase using Aviram’s gmail address and Aviram now has access to the other users personal information. As he explains it:

Botnets

Terry Zink has been posting articles about botnets as traced by Hotmail. I do not often talk about botnets as they are outside my area of expertise. They are not something I deal with, as no one who uses botnets is welcome as a client here.
My clients and I, however, do have to deal with the fallout from botnets. Because of botnets, receiver ISPs are extremely suspicious of mail from any IP address that they have not seen mail from previously. Mail from new IPs is, more often than not, a newly infected Windows machine. This results in mail from new IPs not starting with a reputation of zero but starting with a negative reputation.
Botnets are another example of spammers making it more difficult for mailers with permission to use email.

Forgery and spamware

Recently there has been a massive uptick in forgeries. I have been seeing hundreds of bounce back messages, peaking at more than 1000 in an hour. I have been talking about this with people who monitor large spamtrap feeds, large MTAs and spamfilters and it seems this is not an isolated experience. The consensus seems to be that there is new spamware out there which is using email addresses on the spam list as a From: address
The volume itself is annoying. Thousands of messages a day from “mailer-daemon” telling me that the mail I sent with the subject line “Get a longer tool” cannot be delivered to some random address some where. These are coming to at least 3 separate email addresses. One of them was given to Intuit back in 2001/2002 when I registered a copy of Quicken, and ended up leaked to loan spammers and is all over spam lists. The other two are addresses scraped from websites. Same spammer has them, same spammer is using them as part of his spam run.
Even more annoying than the volume, though, is the challenge/response emails. “Your email to jobobjimbo@example.com cannot be delivered until you click this link.” I have been adding every domain I can find that is using c/r to my filters, and just discarding the c/r emails so I do not have to deal with them. That is not my ideal solution, it does mean that if someone using c/r ever tries to contact me I will not see the challenge and our communications cannot happen.
Some people have recommended that the right way to deal with challenges from forged spam are actually to answer the challenges. As the reasoning goes, if someone using c/r is going to outsource their spam filtering to a victim of spam forgery, then they should expect that the “spam filter” may have a different opinion than they do. While I always sympathized with this viewpoint, I was not sure I would ever confirm spam forgeries. The sheer volume of c/r stuff I have received in the last few weeks has almost convinced me that people who use c/r deserve every bit of spam they get. If a c/r filter lets in spam, then perhaps they will reconsider their choice to spew challenges out to forged email addresses.
The amount of c/r spam I am getting as part of the forgery runs is decreasing, I think I have finally managed to block the primary sources. It does mean I will not be able to communicate with people who use c/r in the future, but I find this a small price to pay for not having to be an outsourced spam filter. I get enough of my own spam, I really do not want to have to deal with yours.

That's spammer speak

I’ve been hearing stories from other deliverability consultants and some ISP reps about what people are telling them. Some of them are jaw dropping examples of senders who are indistinguishable from spammers. Some of them are just examples of sender ignorance.
“We’re blocked at ISP-A, so we’re just going to stop mailing all our recipients at ISP-A.” Pure spammer speak. The speaker sees no value in any individual recipient, so instead of actually figuring out what about their mail is causing problems, they are going to drop 30% of their list. We talk a lot on this blog about relevancy and user experience. If a sender does not care about their email enough to invest a small amount of time into fixing a problem, then why should recipients care about the mail they are sending?
A better solution then just throwing away 30% of a list is to determine the underlying reasons for delivery issues, and actually make adjustments to address collection processes and user experience. Build a sustainable, long term email marketing program that builds a loyal customer base.
“We have a new system to unsubscribe people immediately, but are concerned about implementing it due to database shrink.” First off, the law says that senders must stop mailing people that ask. Secondly, if people do not want email, they are not going to be an overall asset. They are likely to never purchase from the email, and they are very likely to hit the ‘this is spam’ button and lower the overall delivery rate of a list.
Let people unsubscribe. Users who do not want email from a sender are cruft. They lower the ROI for a list, they lower aggregate performance. Senders should not want unwilling or unhappy recipients on their list.
“We found out a lot of our addresses are at non-existent domains, so we want to correct the typos.” “Correcting” email addresses is an exercise in trying to read recipients minds. I seems intuitive that someone who typed yahooooo.com meant yahoo.com, or that hotmial.com meant hotmail.com, but there is no way to know for sure. There is also the possibility that the user is deliberately mistyping addresses to avoid getting mail from the sender. It could be that the user who mistyped their domain also mistyped their username. In any case, “fixing” the domain could result in a sender sending spam.
Data hygiene is critical, and any sender should be monitoring and checking the information input into their subscription forms. There are even services which offer real time monitoring of the data that is being entered into webforms. Once the data is in the database, though, senders should not arbitrarily change it.

Social network sends spam

Yesterday we talked about social networks that harvest the address books of registered users and send mail to all those addresses on behalf of their registered user. In the specific case, the registered user did not know that the network was going to send that mail and subsequently apologized to everyone.
That is not the only way social networks collect addresses. After I posted that, Steve mentioned to me that he had been receiving invitations from a different social network. In that case, the sender was unknown to Steve. It was random mail from a random person claiming that they knew each other and should network on this new website site. After some investigation, Steve discovered that the person making the invitation was the founder of the website in question and there was no previous connection between them.
The founder of the social networking site was harvesting email addresses and sending out spam inviting people he did not know to join his site.
Social networking is making huge use of email. Many of my new clients are social networking sites having problems delivering mail. Like with most things, there are some good guys who really do respect their users and their privacy and personal information. There are also bad guys who will do anything they can to grow a site, including appropriating their users information and the information of all their users correspondents.
It is relatively early in the social networking product cycle. It remains to be seen how much of an impact the spammers and sloppier end will have. If too much spam gets through, the spam filters and ISPs will adapt and social networks will have to focus more on respecting users and potential users in order for their mail to get delivered.

How to be a spammer

JD had a comment on my Valentines day semi-fluff post, that really summed up the reality for senders. He said

ESP unwittingly used to send spam

Late last week I heard from someone at AOL they were seeing strange traffic from a major ESP, that looked like the ESP was an open relay. This morning I received an email from AOL detailing what happened as relayed by the ESP.

CAN SPAM compliance.

Over on the ET blog, Al posted about how CAN SPAM compliance is not sufficient for you to not be spamming.
It’s a bit different perspective, but very complimentary to my post yesterday about what is and is not spam. He and I have both heard from ISP people about how many requests for whitelisting or unblocking are prefaced with, “We comply with CAN SPAM” and how meaningless that statement really is. Al has a longer discussion of why.

What really is "spam" anyway?

A few days ago I was reading the attempt by e360 and Dave Linhardt to force Comcast to accept his mail and to stop people posting in the newsgroup news.admin.net-abuse.email from claiming he is a spammer. The bit that pops out at me in this complaint of his, is the fact that he believes that by complying with the minimal standards of the CAN-SPAM act, he is not spamming.
The problem with this claim is that CAN SPAM lists the minimal standards an email must meet in order to avoid prosecution. CAN SPAM does not define what is spam, it only defines the things senders must do in order to not be violating the act. There is no legal definition of spam or of what is not spam.
To add to the confusion there are a number of confusing and contradictory definitions of spam. Definitions people have used over the years include:

Wired editor has enough spam!

Seth Godin links to a post up over on The Long Tail about spammers who send PR mail to Chris Anderson, an editor at wired. Apparently lots of people send automated email to the editor of Wired hawking their latest and greatest product, service or photos.
In response to this overwhelming amount of mail, Chris has instituted a new email acceptance policy. He says

Experience as a recipient

One of the challenges of my job is to separate my personal feelings and experiences related to email marketing and spam from my advice to clients. I am here to make your delivery better, not to make everyone use email marketing the way that makes me the most comfortable.
That being said, I get a lot of spam across my various email addresses. If I have an extra few minutes I’ll sometimes send complaints, but more and more it is too hard, too complicated and / or the ISPs do not care anyway. In the last 2 weeks I’ve had 3 experiences with unexpected / unwanted email (aka: spam) where I did take action.