Spamming
Evolution of policy
Last week, I talked about policy, using some different blocklist policies as examples. In that post I talked about how important it is that policy evolve. One example of that is how we’ve been evolving policy related to companies that get listed on Purchased Lists and ESPs. Who is listed has evolved over time, and we’re actually looking at some policy changes right now.
Read MoreDodging filters makes for effective spamming
Spam is still 80 – 90% of global email volume, depending on which study look at. Most of that spam doesn’t make it to the inbox; ISPs reject a lot of it during the SMTP transaction and put much of rest of it in the bulk folder. But as the volumes of spam have grown, ISPs and filters are relying more and more on automation. Gone are the days when a team of people could manually review spam and tune filters. There’s just too much of it out there for it to be cost effective to manually review filters.
In some ways, though, automatic filters are easier to avoid than manual filters. Take a spam that I received at multiple addresses today. It’s an advertisement for lists to “meet my marketing needs.” I started out looking at this mail to walk readers through all of the reasons I distrusted this mail. But some testing, the same sorts of testing I do for client mails, told me that this mail was making it to the inbox at major ISPs.
What told me this mail was spam? Let’s look at the evidence.
Spamming is a marketing tactic
A twitter discussion about the use of Re: and FWD: in subject lines for bulk email. The summary appears to be that even marketers hate it when they get mail like that, but if it drives sales then it’s a worthwhile trick. The final tweet says a lot, though.
Read MoreThe perils of politics
I’ve talked a little bit about political and activist mail in the past. In general, I believe political mailers tend to be aggressive in their address collection techniques and sloppy in acquiring permission.
For the most part, politicians can get away with aggressive email marketing in a way that commercial emailers can’t always. The laws for commercial email don’t really apply to political emails. Politicians and activists don’t have to comply with CAN SPAM. They don’t even have to stop mailing if you opt-out. They don’t have to identify themselves the way commercial emailers do. They trade, sell, barter and borrow voter data, including email addresses.
This doesn’t mean the politicians don’t get blocked. They most certainly do suffer delivery consequences to their behaviour.
Well, today I saw another article talking about the pitfalls of political mailings. According to US News, a number of people who are unlikely to be Republican supporters were reporting that they were spammed by the Romney campaign.
The Romney campaign says it wasn’t them, and that they are only sending mail to people who signed up to receive it. This is possible, the article at US News says that the signups came from an IP address that is part of the Tor network. What is Tor? Tor is a way to hide your location on the internet. Ever watch a crime show and see the master geek track a bad guy all over the world by IP address? That’s basically what Tor does.
It’s very possible someone did find a list of email addresses of people guaranteed to be angry about getting mail from the Romney campaign. It’s very possible they used Tor nodes to submit those addresses the campaign lists. It’s been known to happen, and it’s not like this election is getting any less contentious as we get closer to November.
Forged subscriptions are a problem for every activist and political mailing list. But most of them don’t take any steps to protect themselves from maliciousness. Welcome emails, confirmation emails, audit trails, monitoring can help minimize the chance of subscribing a lot of people who don’t want that mail. Most political and activist groups won’t take that step, though. They’d rather increase lists by any means necessary without adding any controls on making sure those addresses are valid.
The irony is that the first thing activists blame when they do have email delivery problems is their political opponents forging addresses into their list. But they still push back against actually implementing controls and protections against the practice.
As with many things, politicians want to have their cake and eat it too. They want the extra volume that comes from indiscriminate signups, but don’t think that should cause them any problems. It doesn’t work that way in the real world, though.
Spammer loses in the court of public opinion
Columnist Mike Cassidy of the SJ Mercury News dedicates his column today to explaining how horribly a spammer named Michael Luckman is being treated by Spamhaus.
The gist of the story is that Mr. Luckman thinks that because it is legal to purchase lists and send mail that there is nothing anyone can do to stop him from doing so. Unfortunately for Mr. Luckman, this isn’t actually true. Simply complying with the law does not mean that spamming behaviour has to be tolerated by ISPs. What’s more, ISPs have a lot of power to stop him.
His recipients’ ISPs can stop him. Filtering companies can stop him. And his upstream can stop him. In fact, Mr. Luckman’s upstream is GoDaddy, a company that has an abuse desk that is one of the toughest on the Internet. They do not tolerate spamming at all and will disconnect customers that are spamming whether or not there is a SBL listing involved.
Sure, Mr. Luckman is complying, or says he’s complying, with CAN SPAM. But that doesn’t change the fact that he is violating his contract with GoDaddy. Given that admission, I am extremely surprised that the reporter focused so exclusively on Spamhaus’ role in this, without mentioning GoDaddy’s abuse enforcement or that Mr. Luckman has to comply with contracts he signed.
Most reputable marketers agree that sending mail to purchased email addresses is spam. Most recipients agree that mail they didn’t ask to receive is spam. Even the reporter agrees that Mr. Luckman is a spammer. Compliance with CAN SPAM doesn’t mean anyone is required to accept his mail, nor provide him with a connection to the rest of the internet.
This is a lesson Mr. Luckman is having problems learning. Instead of fixing his process so he isn’t sending spam, he contacts a reporter to plead his case in the court of public opinion. Sadly for him, most people hate spam and won’t defend a self admitted spammer against a blocking group. In fact, over 80% of the people who have voted in the “has Spamhaus gone too far” poll have said no. What’s your vote?
Are you still thinking of purchasing a mailing list?
Last week there was an article published by btobonline promoting the services of a company called Netprospex. Netprospex, as you can probably gather from their company name, is all about the buying and selling of mailing lists. They will sell anyone a list of prospects.
The overall theme of the article is that there is nothing wrong with spam and that if a sender follows a few simple rules spamming will drive business to new heights. Understandably, there are a few people who disagree with the article and the value of the Netprospex lists.
I’ve stayed out of the discussion, mostly because it’s pretty clear to me that article was published solely to promote the Netprospex business, and their point of view is that they make more money when they can convince people to purchase lists from them. Dog bites man isn’t a very compelling news story. Data selling company wants you to buy data from them isn’t either.
They are right, there is nothing illegal about spam. Any sender can purchase a list and then send mail to the addresses on that list and as long as that sender meets the rock bottom standards set out in CAN SPAM. As long as your mail has an opt-out link, a physical postal address and unforged headers that mail is legal. The only other obligation on the sender is to honor any unsubscribe requests within ten days. So, yes, it is legal to send spam.
But legal action isn’t the only consequence of spamming. Today I received the following in an email from a colleague.
The coming changes
Yesterday I talked about how I’m hearing warnings of a coming paradigm shift in the email industry. While these changes will affect all sender, ESPs in particular are going to need to change how they interact with both ISPs and their customers.
Currently, ESPs are able to act as “routine conveyers.” The traffic going across their network is generated by their customers and the ESP only handles technical issues. Responsible ESPs do enforce standards on their customers and expect mailings to meet certain targets. They monitor complaints and unknown users, they monitor blocks and reputation. If customers get out of line, then the ESP steps in and forces their customer to improve their practices. If the customer refuses, then the ESP disconnects them.
Currently standards for email are mostly dictated by the ISPs. Many ESPs take the stance that if any mail that is not blocked by the ISPs then it is acceptable. But just because a certain customer isn’t blocked doesn’t mean they’re sending mail that is wanted by the recipients.
It seems this reactive approach to customer policing may no longer be enough. In fact, one of the large spam filter providers has recently offered their customers the ability to block mail from all ESPs with a single click. This may become a more common response if the ESPs don’t start proactively policing their networks.
Why is this happening? ISPs and filtering companies are seeing increasing percentages of spam coming out of ESP netspace. Current processes for policing customers are extremely reactive and there are many ESPs that are allowing their customers to send measurable percentages of spam. This situation is untenable for the filtering companies or the ISPs and they’re sending out warnings that the ESPs need to stop letting so much spam leave their networks.
Unsurprisingly, there are many members of the ESP community that don’t like this and think the ISPs are overreacting and being overly mean. They do not think the ISPs or filtering companies should be blocking all an ESPs customers just because some of the customers are sending unwanted mail. Paraphrased, some of the things I’ve heard include: