Spammers

The Economics of Cold Outreach

It’s time we talk about cold outreach mail. In the last 2 years the volume and aggressiveness of cold outreach mail seems to have exploded. There are dozens of companies out there who are selling services to companies to facilitate cold outreach. My own sales mailbox is full of requests from companies to help them solve their delivery problems.

Bad marketing automation, part deux

Back in April I wrote about some poor marketing automation that ended up spamming me with ‘cart abandonment’ emails when the issue was the company’s credit card processing went down. That post has now been scraped by the spammers Moosend and they keep sending me… poorly targeted automated spam.

The Commission finds that nCrowd, Inc. committed one violation of paragraph 6(1)(a) and one violation of paragraph 6(2)(c) of Canada’s Anti-Spam Legislation (the Act) in relation to commercial electronic messages sent to recipients in Canada. The Commission also finds that Brian Conley is liable, under section 31 of the Act, for those violations. Accordingly, the Commission imposes an administrative monetary penalty of $100,000 on Brian Conley. CRTC

The commission’s report is well worth a read as it discusses many of the things I’ve noticed from spamming operations over the years. It’s pretty standard business practice for spammers to have a complex set of sorta but not really different businesses. They all interact and share data, but not legal liability. They’re mostly treated as one business by the principles and there’s no real dedication to any one brand name.

SaaS systems are spammer targets

There are probably hundreds of thousands of really awesome SaaS products out there. They provide a framework to do all sorts of stuff that used to be really hard to do. Almost all of them include some email component. They dutifully build the email piece into their platform and, because they’re smart, they outsource the actual sending to one of SMTP providers. They’re happy, their customers are happy, and spammers are happy.

Conversations with spammers

It’s amazing how many spammers try and fool deliverability into accepting a questionable list. All too often they fall back on a story. The basic points: a company you’ve never heard of collected millions of email addresses on a website hosted on a low end VPS.

I’ve never heard of your company. We’re just that much better at marketing. This list is guaranteed 100% opt in. Subscribers are desperate to hear from us. The mail is vital and important. We had some problems at our last ESP, but that’s just because they don’t understand our business model. And we had a brief problem with complaints. But they weren’t real complaints. Our competitors are signing up for the list and complaining to hurt out business. It’s not a list problem, it’s that we’re so dominant they have to subvert us. That’s just because we’re that much better at their jobs than anyone else.
You’re looking for deliverability help. Well, yeah, sometimes Gmail delivery is bad, but that’s simply because we won’t pay Google money for advertising. Google is so afraid of us they deliberately filter all this spectacularly wanted email into the bulk folder. They have problems with us as a business. Oh, and we might, sometimes, occasionally have a minor problem with Yahoo. But, again, it’s because we threaten them and they don’t want to have to compete on a level playing field.
If they’re a potential customer, I tell them about our services and offer a proposal. Once some company I’ve never heard of tells me their bad delivery is because global companies are afraid of them, there’s really nothing I can do. They’re unlikely to listen to me explain reality to them.
Sometimes, though, this conversation happens because I’m consulting for an ESP or an Agency. They’ve brought me in to discuss deliverability with a customer or vendor. In those cases, it’s my job to keep going.
Your site doesn’t actually have a signup form. That’s because we’re in the middle of an upgrade cycle and had some problems with the back end. [Alternative: We stopped collecting new email addresses because of their deliverability problems and removed the form.] Your site has a signup form, and I signed up, but never got any mail from you. We disconnected the signup form while we handle our deliverability problems. [Alternative: That shouldn’t happen. We can forward you some messages instead.] I have received spam advertising your company. We had a rogue affiliate that we discovered was spamming and we cut them off.
No, this is direct from your IP space. Oh, well, you must have opted in and forgotten about it. [Alternative: We had a rogue sales guy, but we fired him for spamming.] Your company has only been in business for 3 years, this is an address I haven’t used since the ’90s. Oh, we probably bought a company that you opted into and so have permission that way.
That’s not really permission. Of course it is!
OK…. How can I help you. We want you to call Google / Yahoo / Hotmail and tell them we’re really a legitimate company that’s sending content and we shouldn’t be in the bulk folder.
What have you changed? Nothing! Why would we change anything? We’re great marketers. We have all these plans but need to get back to the inbox before we can implement them.
Um… there’s no filter setting for “laura says they’re a good sender.” They’re going to look for new sending patterns so let’s change a few things. Well, we recently removed 2/3 of our database, but it made no difference so we don’t know what else you think we can do.
Let’s talk about your technical setup.

Random thoughts on spammers

I recently received a 419 spam that had a message at the top of the email.

Yup, a 419 spammer is trying to convince me there are millions of dollars waiting for me, but he won’t pay his software vendor 29.99 to comply with a license.
This is only the most recent in a long line of examples of spammers being cheap and attempting to steal services.
Back when I was working abuse almost every ISP had a story about a spammer who refused to pay their bill. Or spammers who were so high maintenance they cost the company money.
The company I worked for had a spammer that was on our system for far too long. Eventually they were cut off for non-payment and their hardware was confiscated. Still, the spammer came in and managed to remove the hardware before the building guards were alerted. It was disappointing, but at least they weren’t spamming off our network any longer.
Even now, ESPs share stories of customers who come in, spam and never pay their bill. Works for the spammer, they can get a few weeks of spamming in without having to pay for the service. They spew their stuff and leave a giant mess for the ESP to clean up. Next week, they’re on to the next ESP.
The real problem with this is that with enough ESPs and enough sends you can clean a list. This list can then be sold, or moved to a credible ESP without any of the tell tale signs of a purchased list. It’s so common it even has a name: waterfalling. It’s profitable, though, and there are enough small ESPs out there with little compliance experience that it can work.
I regularly get questions from folks who’ve worked themselves into a hole about swapping IPs or domains in order to get out of the hole. My answer is always the same. Changing identity might work in the short term, but it won’t work longer term. I also tell them that spammers have been trying to avoid filters for a lot longer than they have. Spammers are good at it, and still get caught in filters. Better to spend time trying to fix the underlying problem – typically users aren’t engaged with your mail – then trying to obfuscate who is sending the message to avoid filters.
Focus on sending good email that users want, rather than trying to avoid filters. That’s the key to getting into the inbox.

It's not fair

In the delivery space, stuff comes in cycles. We’re currently in a cycle where people are unhappy with spam filters. There are two reasons they’re unhappy: false positives and false negatives.
False positives are emails that the user doesn’t think is spam but goes into the bulk folder anyway.
Fales negatives are emails that the user does thing is spam but is delivered to the inbox.
I’ve sat on multiple calls over the course of my career, with clients and potential clients, where the question I cannot answer comes up. “Why do I still get spam?”
I have a lot of thoughts about this question and what it means for a discussion, how it should be answered and what the next steps are. But it’s important to understand that I, and most of my deliverability colleagues, hate this question. Yet we get it all the time. ISPs get it, too.
A big part of the answer is because spammers spend inordinate amounts of time and money trying to figure out how to break filters. In fact, back in 2006 the FTC fined a company almost a million dollars for using deceptive techniques to try and get into filters. One of the things this company did would be to have folks manually create emails to test filters. Once they found a piece of text that would get into the inbox, they’d spam until the filters caught up. Then, they’d start testing content again to see what would get past the filters. Repeat.
This wasn’t some fly by night company. They had beautiful offices in San Francisco with conference rooms overlooking Treasure Island. They were profitable. They were spammers. Of course, not long after the FTC fined them, they filed bankruptcy and disappeared.
Other spammers create and cultivate vast networks of IP addresses and domains to be used in snowshoeing operations. Still other spammers create criminal acts to hijack reputation of legitimate senders to make it to the inbox.
Why do you still get spam? That’s a bit like asking why people speed or run red lights. You still get spam because spammers invest a lot of money and time into sending you spam. They’re OK with only a small percentage of emails getting through filters, they’ll just make it up in volume.
Spam still exists because spammers still exist.

More CASL enforcement

Last week the CRTC published a CASL enforcement action wherein they fined an individual $15,000 for 10 violations of the act.

Another CASL fine assessed

This week the Canadian Radio-television and Telecommunications Commission (CRTC) announced a $50,000 fine against Blackstone Learning Corp. for violations of CASL.

In early 2015, the CRTC identified over 380,000 emails sent without the consent of recipients and fined Blackstone $640,000. Blackstone appealed the ruling and the Commission lowered the fine to $50,000.
I strongly recommend folks who are interested in how the CRTC is enforcing CASL read the full release. In it, the CRTC walks us through the process of investigation. In this case, Blackstone argued that they had implied consent based on the public nature of the recipients email addresses and the fact they’re published on different websites. The commission disagreed.

The 10 worst …

Spamhaus gave a bunch of us a preview of their new “Top 10 worst” (or should that be bottom 10?) lists at M³AAWG. These lists have now been released to the public.

The categories they’re measuring are:

Spammers, eh?

I’m back from a fun and successful trip to the APSIS Email Marketing Evolved conference. Of course, this means I’m digging out my mailboxes and going through mail I’ve ignored for the past week. It’s amazing how the spam builds up when I’m not tending to it every day.

4 things spammers do legitimate marketers don't

I’ve never met a spammer that claims to be a spammer. Most that I’ve met claim to be legitimate marketers (or high volume email deployers). But there are things spammers do that I never expect to see a legitimate marketer doing.
I’ve written about these things throughout the blog (tag: TWSD), but it’s probably time to actually pull them together into a single post.

Spammers make me laugh…

When they can’t work their spam ware.
{rtf1ansiansicpg1252deff0deflang1033{fonttbl{f0fnilfcharset0 Calibri;}} {*generator Msftedit 5.41.21.2510;}viewkind4uc1pardsa200sl276slmult1lang9f0fs22 Dear Sir,par My clients wants to invest huge cash .Please do reply if interested no dime needed from you.par Regardspar john Gagapar }

Can someone explain to me…

What this disclaimer means?

You are receiving this email because you have a customer relationship or have opted-in to an email list managed by the Emailing Entity listed below. This email was not sent to you by the company or website identified in the offer above, for which we have a separate business relationship. We have represented to such company or website that we have the affirmative right to email you with an offer on their behalf.
Read More

What happens when you apply for a PayDay loan

From NPR.
I’ve had clients over the years who were email marketing agencies selling leads to lenders. Their delivery is horrible, even when they’re doing all the “right things” for email. I’ve come to the conclusion that PayDay lenders are a lot like lawyers: “95% of them give the rest a bad name.”
PayDay loans are the one area where content trumps everything else, and so much of the content out there is bad, it can ruin delivery for everything. The NPR article speaks to why that is.

Eggs, ham, sausage and spam.
Some say the Internet is for porn; but you know that in truth the Internet is for spam. As communication technologies got cheaper, the cost of grabbing a megaphone and jamming it up against the aching ear-drums of an advertising-jaded public collapsed: Meanwhile, the content-is-king mantra of the monetization mavens gridlocked the new media in an advertising-supported business model. The great and the good of the Academy have been fighting a losing battle against the Anglo-Saxon hucksterization model for the past thirty years: But the sad truth is that the battle’s lost. The tide of war was turned in Beijing and New Delhi, when the rapidly industrializing new superpowers climbed on the MAKE MONEY FAST band-wagon and gave free reign to the free market, red in tooth and claw – just as long as the sharp bits were directed outwards. And today the entire world is still drowning in a sea of attention-grabbing unregulated unethical untruthful spamvertising.
Spam, ham, sausage and spam.
Rule 34, Charles Stross
Read More

Spam illustrated

Portraits of Spammers
It’s been a long week, so enjoy some art (and spam). Next week we’ll get back to discussing the many faults of Gmail. And senders. And receivers. And, well, everyone has faults. And email is Dead. Tabs killed it.

A new twist on confirmation

I got multiple copies of a request to “confirm my email address” recently. What’s interesting is the text surrounding the confirmation request.

Spammers already abusing Vine

Spammers have already figured out how to abuse the new twitter video service (VINE) to make money. I wish I could say I was surprised, but spammers (and scammers) are some of the earliest adopters of technology out there. They adopt it and try to extract as much money as possible before the property owners can catch up and implement anti-abuse technology.
Too few companies actually build products with anti-abuse technology built in. This costs them and the victims money.

TWSD: avoid filters

I was cleaning out one of my spamtraps. This is the one that gets a ton of “legitimate” spam. In the last 12 hours it’s gotten spam advertising: T.G.I.Fridays, KFC, Applebees, LendingTree, Lasix Vision Institute, Khols, Burger King, Match.com, and Vistaprint.
The footer of some of the mails are making me laugh, though. It’s clear they’re trying to comply with CAN SPAM, but are having problems with content filtering. Here’s a brief selection of the footers:
Ondemand Research, 1O5 E.[34th]-Street Ste 144, New Y0rk, NY 1OO16
Ondemand Research, 105 E. 34th Street St #144, New York, NY 10016
0ndemand=Research, 1O5/E/./34th Street Ste 144,New Y0rk,NY=1OO16
Poor OnDemand Research, they just can’t catch a break.
EDIT: Just got a spam for Ruby Tuesday’s using a .pw domain.

Seedy underworld

ESPs have to deal with spammers, phishers and scammers getting onto their networks. Mailgun talks about some of the things they’ve found our about these problem customers.

A Spam Blast from the Past

A couple of days ago an ex-employee of Opt-In Inc., was kind enough to do a Reddit AMA answering questions about their experience working with Steve Hardigree in the “legitimate” email marketing industry, back in the early 2000s.
The whole thing is worth a read, but I thought I’d share some of his more interesting answers here.
Everyone knows everyone

More on Rove Digital

Brian Krebs has more on Rove Digital and the criminal connection to other scammers and spammers.

Spam works

I got a spam today advertising spamming services that ended with a tagline that can be paraphrased: We managed to spam you, let us spam others on your behalf!
OK, so what they actually said was:

You've got to be kidding me

Earlier this week I received an email to a work address I retired 4 or 5 years ago. The from and subject lines alone were enough to make me laugh and decide I had to blog about this particular spammer.

It's Wednesday – do you know where your sales staff are?

I received an email yesterday with the subject “Please confirm your lunch reservation”. It didn’t look like a typical spam subject line, but wasn’t from anywhere I recognized.
I take a look.

The dark side of email marketing

Everyone I talk to when dealing with issues inevitably has to tell me they are legitimate email marketers. They’re not spammers, they’re just business people. I often find it difficult to fathom why they need to tell me this. It’s not like email marketers are criminals or anything.
Two recent stories reminded me how evil some folks are. While I’ve not had any direct contact (that I know of) with any of the players on this end of things I have zero doubt that if they called me they would tell me that they were legitimate email marketers.
In one case, a members of a spam gang kidnapped the teenage daughter of someone investigating their activities. The gang held her for more than 5 years in horrific conditions. Yesterday Joseph Menn, author of “Fatal System Error” posted on Boing Boing that his friend got his daughter back. It is a heartbreaking story and incredibly sobering.
In another case, the Russian police arrested a man who ran spammit.com, a clearinghouse for viagra sellers to find spammers to send their mail. Reports say that mail volumes dropped by a fifth after the site was taken offline.
There is real evil in the email marketing industry. Sure, they’re spammers and we can all stand up and say they’re not legitimate. But, this is what the ISPs and Spamhaus and law enforcement are dealing with on a regular basis.

Ah, Spammers.

The too many.
The stupid.
The spammers.
The blog spammers are still actively attempting to get their claws into my blog. Today the comments included:

Suing spammers

I’m off to MAAWG next week and seem to have had barely enough time to breathe lately, much less blog. I have a half written post, but it’s taking a little more research to put together. That can wait until I get the chance to do the research.
Instead I thought I’d talk about the North Coast Journal article “The Rise and Fall of a Spam Crusader.” It’s quite an interesting article and looks into the personal and business sacrifices that people make in order to chase down spammers.
In my experience a lot of the serial litigators have very poor practices around data collection and analysis. They don’t collect evidence, they just collect email and then make assertions and assumptions. This not every effective when having to convince a judge that you are right.
The article actually does nothing to change this impression. The cases ASIS won are the cases where the defendants didn’t respond. That also means that ASIS couldn’t collect.
I do disagree with Mr. Singleton, the lawyer, where he says CAN SPAM is dead. In many cases I’ve seen there aren’t clear CAN SPAM violations. So if he’s trying to sue these spammers under CAN SPAM his cause of action is wrong. Secondly, the article goes on to talk about the broader implications.

Spam isn't a best practice

I’m hearing a lot of claims about best practices recently and I’m wondering what people really mean by the term. All too often people tell me that they comply with “all best practices” followed by a list of things they do that are clearly not best practices.
Some of those folks are clients or sales prospects but some of them are actually industry colleagues that have customers sending spam. In either case, I’ve been thinking a lot about best practices and what we all mean when we talk about best practices. In conversing with various people it’s clear that the term doesn’t mean what the speakers think it means.
For me, best practice means sending mail in a way that create happy and engaged recipients. There are a lot of details wrapped up in there, but all implementation choices stem from the answer to the question “what will make our customers happy.” But a lot of marketers, email and otherwise, don’t focus on what makes their recipients or targets happy.
In fact, for many people I talk to when they say “best practice” what they really mean is “send as much mail as recipients will tolerate.” This isn’t that surprising, the advertising and marketing industries survive by pushing things as far as the target will tolerate (emphasis added).

Spammers quickly adopting social media

Spammers have already discovered they can send spam through Apple’s new Ping service. Yes, some of the fastest adopters of new technology are spammers.
Isn’t technology wonderful?

Botnets and viruses and phishing, oh my!

MessageLabs released their monthly report on email threats yesterday. Many media outlets picked up and reported that 41% of spam was from a the Rustock botnet.
Other highlights from the report include:

Appendleads is not unusual

I called out David Williams from appendleads.com yesterday for his spam. Sure he’s a spammer, his database is full of garbage information and his email violates CAN SPAM but he’s not that unusual in the realm of list sellers. He is very typical of the people I see offering lists for sale.
List sellers are the internet version of used car salesmen. Everyone knows they are slimy sales guys who will do anything to close the sale. They don’t have a real web presence, just visit appendleads.com and see what I mean.
And yet, people still buy lists from them! I have no doubt that my spammer friend has a nice little business selling email addresses. He sends out spam, he gets a few responses, makes a tidy profit and then sends out another spam, hooks a few more people and makes more money.
OK, so not all list sellers are like appendleads. Some of them go so far to build a website. But at the core they’re the same. They are selling data that isn’t clean, it’s not opt-in, it’s not been verified.
This is why so many of us harp on not buying lists. The sales guys talk a great game, but they aren’t selling what purchasers think they’re getting. They also don’t care. They have no incentive to clean up their data. They have no incentive to accurately represent what they’re selling. All of the risk is on the person that sends the email. Once they have their money, the buyer is on their own.
Can you ever successfully purchase a list? I’m sure some senders have. But that experience is closer to winning more than a thousand dollars in the lottery than an actual good business decision.

Buying Lists

One of my email addresses at a client got spammed today offering to sell me appending services. I was going to post the email here and point out all of the problems in how he was advertising it, including violating CAN SPAM.
As I often do, I plugged his phone number into google, only to discover that my blog post from March about this spammer was the 2nd hit for that number. Well, go me.
I can report nothing has changed. He’s still violating CAN SPAM. He’s still claiming I have no right to post, share, spindle, mutilate or fold his spam. Well, in the interest in something, I thought I’d share the whole post this time. Just to warn folks from attempting to purchase services from appendleads.com (nice website, by the way).

Analysing lead-gen spam

Yesterday I showed how major companies hire hard core spammers.
Today I’m going to show you some of the technical details as to how I found that data. This is a fairly quick and shallow analysis, the sort of thing I’d typically do for a client to help them decide whether the case was worth pursuing before expending too much money and time on investigation and legal paperwork. I’ve also done it using standard command line tools that are available on pretty much any unix command line (and windows, with a little effort).
There are several questions to answer about the email in question.

AARP, SureClick, Offerweb and Spam

On Tuesday Laura wrote about receiving spam sent on behalf of the AARP. The point she was discussing was mostly just how incompetent the spammer was, and how badly they’d mangled the spam such that it was hardly legible.
One of AARPs interactive advertising managers posted in response denying that it was anything to do with the AARP.

Did anyone actually look at this email before sending?

I received spam advertising AARP recently. Yes, AARP. Oh, of course they didn’t send me spam, they hired someone who probably hired someone who contracted with an affiliate marketer to send mail.
The affiliates, while capable of bypassing spam filters, are incapable of actually sending readable mail.

News from MAAWG

During MAAWG a number of companies in the email space announce new initiatives, mergers, products and the like. This MAAWG is no different.
Spammers adjust to security trends. This is not really news, spammers have been adjusting to new security measures since folks started blocking from: addresses back in ’95 and ’96. The tactics are different and developing, but for every security hole that is blocked, spammers will search for another hole to exploit. The unfortunate truth is that end user is the weak point, and spammers and scammers are very very good at social engineering.
Spam statistics stalemate. Spam is still accounting for approximately 90% of all email traffic.
Cloudmark acquires Bizanga. I talked to some of the Cloudmark folks and they seem very excited with their acquisition of the Bizanga MTA and email technology.
Bizanga Storage announced. Bizanga Store is a scalable storage system brought to you by some of the people who were instrumental in building the Bizanga MTA acquired by Cloudmark.
ReturnPath announced partnership with RPost. Yet more ongoing changes in the certification field.

Spammers aren't who you think they are

Shady direct marketers exploit CAN SPAM to continue spamming but protect themselves from the law. This is something I’ve been talking about for a while (TWSD), and it’s nice to see the mainstream press noticing the same thing.
HT: Box of Meat

Important notification spammers break the law

I’m currently being inundated at multiple address with spam advertising spamming services. Most of these notices have the subject line: IMPORTANT NOTIFICATION. The text includes:

And the ugly…

Getting back to my series on the good, the typical and the ugly in the ESP field, and there is some very ugly out there. I have 3 examples of the ugliness out there and what ESPs and legitimate senders are competing with.
The fake ESP
A spammer approached me early on in my consulting career, asking me to help him set up a fake ESP. He wanted to set up his corporate network so that to an outsider it would look like he was selling ESP services and thus had a large number of customers. There wouldn’t be any customers, however, all the mail would be coming from his company. When the blocking got bad enough, and it would as he would purchase addresses from anywhere, he would “disconnect” the responsible customer. My role was to help him come up with a plausible sounding acceptable use policy and then contact the ISPs when he “disconnected” the customer. I declined to participate in this scheme. This doesn’t appear to have stopped him, though, if the rumors I hear are to be believed.
Waterfalling
Related to the fake ESP scheme is waterfalling. Spammers acquire lists of email addresses and then begin the process of cleaning them by mailing. In some cases, they mail through fake ESPs, as above. In other cases, they actually spread their traffic out across legitimate ISPs. As they mail the lists through the ESPs, they remove unsubscribes, bounces and complaints. When the list reaches a set cleanliness, they move it to another ESP. They repeat this, gradually moving through cleaner and cleaner ESPs. Eventually, they move the list to their own network and sell mailings to it as an opt-in list. It’s not opt-in, it’s just cleansed of all negative responders.
The companies abusing ESPs to clean their lists do tarnish the reputation of ESPs. While the responsible ESPs do disconnect the waterfallers, they usually do so after problems are detected. That being said, there are some companies that are constantly looking for “partnerships” at ESPs and the ESPs turn them away during the sales cycles.
Affiliates
While not necessarily an ESP problem there are some large companies out there that hire spammers to send acquisition email for them. They also send their own mail, both marketing and transactional, through ESPs. The issue for ESPs come when the URL blocks happen and the bad reputation of their customer’s mail bleeds back to the ESPs IP addresses. The ESP becomes known as “one of those places that mails for X” and their reputation falls accordingly. In some cases, even if the mail through the ESP is clean and opt-in, the ESP finds itself blocklisted for just doing business with a company that hires spammers.
I’ve had a couple clients recommended to me by ESPs because the ESP was dealing with a persistent spam block around this particular customer. The mail the customer sent through the ESP was opt-in, but the client was using an extensive network of affiliates to send spam for them. I collected a lot of examples of their spam from various affiliates, even gave them a couple of examples from my own email addresses. One of those addresses has not been actively used in 6 years. My client tells me they talked to their affiliates and that the affiliate assured them I had signed up, I just forgot. The client chose to believe the affiliate over me, despite the fact that I had many other examples. That client lost their ESP (and good for the ESP) but is still sending spam. I just got one advertising their stuff yesterday, at the same address I gave to them years ago, all images, hashbusters, domain hidden behind proxy, coming from a snowshoer network.
All of the companies I’ve talked about here describe themselves as legitimate email marketers. Even the company telling me I opted in to their mail was defending themselves and their affiliates as legitimate email marketers.

TWSD: keep spamming even when they say they'll stop

About a month ago I posted about receiving spam from a psychic attempting to sell me candles and stuff. The spammer was sending mail from a company called “Garden of Sound” using an ESP called OnLetterhead. A brief investigation led me to believe that unsubscribing from the mail was not going to do anything.
The post prompted an email from Scott B. the VP of Marketing of the company that is responsible for OnLetterhead. I replied to his email, pointing out a number of things he was doing that made his business look like an ESP front for spammers.
After he received my mail he called me to talk to me about the content of my post and the email and to assure me they were immediately implementing one of my suggestion (that they not put a generic “here’s how to unsubscribe” link on their 1000+ link domains, instead have those actually point to their AUP and corporate pages). He also assured me they took my complaint seriously and I would no longer be receiving email.
Guess what?
Garden of Sound is still spamming me from OnLetterhead. They’ve not even managed to implement the changes they pledged would be rolled out the same week as my blog post. Sure, the domain I’m getting spam from is different, the physical postal address is different, the product is different, the friendly from is different. But the preheader still says “this mail sent by Garden of Sound.” It’s all the same list, it’s all the same company, it’s all the same group of spammers.
Despite Scott’s attempt to convince me he wasn’t a spammer, it seems my initial impression was right. OnLetterhead is simply are a company attempting to look like they’re legitimate without actually taking any responsibility for the email going out from their network. They can’t even manage the bare minimum.
It’s companies like this that give the rest of ESPs a bad name.

Permission Based Emails? Are you sure?

Yesterday I wrote about the ReturnPath study showing 21% of permission based email does not make it to the inbox. There are a number of reasons I can think of for this result, but I think one of the major ones is that not all the mail they are monitoring is permission based. I have no doubt that all of the RP customers say that the mail they’re sending is permission based, I also have no doubt that not all of the mail is.
Everyone who sends mail sends permission based email. Really! Just ask them!
In 10 years of professionally working with senders I have yet to find a marketer that says anything other than all their email is permission based. Every email marketer, from those who buy email addresses to those who do fully confirmed verified opt-in with a cherry on top will claim all their email is permission based. And some of the mailers I’ve worked with in the past have been listed on ROKSO. None of these mailers will ever admit that they are not sending permission based email.
Going back to ReturnPath’s data we don’t really know what permission based email means in this context and so we don’t know if the mail is legitimately or illegitimately blocked. My guess is that some significant percentage of the 20% of email to the probe accounts that doesn’t make it to the inbox is missing because the sender does not have clear recipient permission.
When even spammers describe their email as permission based email marketing, what value does the term have?

Three ways spammers get your address

Paul explains 3 ways spammers get your email address.

Fake privacy policies

I sign up at a lot of websites and liberally spray email addresses across the net. These signups are on behalf of one customer or another and each webform gets its own tagged and tracked email address. I always have a specific goal with each signup: getting a copy of a customer’s email, checking their signup process, auditing an affiliate on behalf of a customer or identifying where there might be a problem in a process. Because I have specific goals, I am pretty careful with these signups and usually uncheck every “share my email address” box I can find on the forms.
In every case the privacy policies of my clients and the things they tell me are explicit in that addresses will not be shared. It’s all opt-in, and email addresses are not shared without permission. Even in the cases where I am auditing affiliates, my clients assure me that if I follow this exact process my address will not be shared. Or so the affiliates have assured them.
Despite my care and the privacy policies on the websites, these addresses occasionally leak or are sold. This is actually very rare, and most of the websites I test never do anything with my address that I don’t expect. But in a couple cases these email addresses have ended up in the hands of some hard core spammers (hundreds of emails a day) and there was no useful tracking I could do. In other cases the volume has been lower, and I’ve watched the progression of my email addresses being bought and sold with morbid fascination.
Today an address I signed up at a website about a year ago got hit with multiple spams in a short time frame. All came from different IPs in the same /24. All had different domains with no websites. Whois showed all the domains were registered behind a privacy protection service. Interestingly, two of the domains used the same CAN SPAM address. The third had no CAN SPAM address at all. None of these addresses match the data I have on file related to the email signup.
It never ceases to amaze me how dishonest some address collection outfits. Their websites state clearly that addresses will not be bought an sold, and yet the addresses get lots of spam unrelated to the original signup. For those dishonest enough to do this they’ll never get caught unless recipients tags and tracks all their signups. Even worse, unless their partners test their signups or their mailing practices, the partners may end up unwittingly sending spam.

Words of wisdom from the hallway

Sitting around talking with folks in the hallway. One ISP rep mentions “we think we have found another front company of theirs…”
My only comment was “If a company needs to create a front company…” We all just looked at each other and didn’t need to come up with the “then…”
Really, if a sender thinks they must establish front companies to get connectivity or get customers or get delivery… then this is an admission of guilt.

Appropriating reputation

One of the thing savvy spammers are doing these days is appropriating the reputation of someone else. Reputation appropriate takes many forms. Some spammers hijack windows machines, turn them into bots and send spam through major ISP smarthosts. “Legitimate email marketers” buy service from mainstream ESPs to send their permission-challenged email that they cannot get delivered through their own IP space.
There are different strategies for companies to prevent bad groups from appropriating their reputation. For the ESP, the prime defense against reputation appropriation is screening new customers and new lists.
When screening potential customers, there are three broad categories that customers fall into. One is the legit prospect that is exactly whom they represent to you, these are the easy guys. Another is the naive mailer, who really does not have any clue about email but wants to move into the digital age. This mailer is often extremely small, but knows nothing about email. The final category is the subversive prospect. This is the company who knows exactly what they are doing, and who is actively working to hide their practices from the ESP. They are attempting to subvert the process.
Over the coming weeks I will be talking more about screening new customers and how to distinguish the naive customer from the subversive one.