Spamtraps

What Spamtraps Tell Us

Many blocklists use spamtraps to detect poor sending practices and will cite spamtrap hits as the reason for the blocks. Senders legitimately fear spamtraps showing up on their lists because of this. If spamtraps weren’t used by blocklists no one would really care about them. They’re just another kind of bad address.

Do spamtraps exist?

One of the folks on the Email Geeks slack asked me a question last week that I thought was really insightful and has a somewhat nuanced answer.

Purging to prevent spamtraps

Someone recently asked when they should purge addresses to remove spamtraps. To my mind this is actually the wrong question. Purging addresses that don’t engage is rarely about spamtraps, it’s about your overall communication processes.

Spamtraps are overblown… by senders

One of the fascinating parts of my job is seeing how different groups in email have radically disparate points of view. A current example is how much value senders put on spamtraps compared to ISPs and filtering companies.

Spamtraps on the brain

I really dislike whomever it was that coined the term pristine spamtraps. I get what they were trying to do, explain the different kinds of spamtraps and how different traps get on your list in different ways. Except… any type of trap can end up on your list in any way.

Recycled spamtraps

Spamtraps strike fear into the heart of senders. They’ve turned into this monster metric that can make or break a marketing program. They’ve become a measure and a goal and I think some senders put way too much emphasis on spamtraps instead of worrying about their overall data accuracy.

Recycled addresses, spamtraps and sensors

A few hours ago I was reading an ESP blog post that recommended removing addresses after they were inactive for a year because the address could turn into a spamtrap. That is not how addresses turn into spamtraps and not why we want to remove active addresses. Moreover, it demonstrates a deep misunderstanding of spamtraps. Unfortunately, there are a lot of myths and misunderstandings of spamtraps in general.

5 answers you need before mailing old addresses.

From the archives: Mailing old addresses: 5 questions to ask first
James asked the question on twitter:

February 2017: The Month In Email

Happy March!

As always, I blogged about best practices with subscriptions, and shared a great example of subscription transparency that I received from The Guardian. I also wrote about what happens to the small pool of people who fail to complete a confirmed opt-in (or double opt-in) subscription process. While there are many reasons that someone might not complete that process, ultimately that person has not given permission to receive email, and marketers need to respect that. I revisited an older post on permission which is still entirely relevant.
Speaking of relevance, I wrote about seed lists, which can be useful, but — like all monitoring tools — should not be treated as infallible, just as part of a larger set of information we use to assess deliverability. Spamtraps are also valuable in that larger set of tools, and I looked at some of the myths and truths about how ISPs use them. I also shared some thoughts from an industry veteran on Gmail filtering.
On the topic of industry veterans, myths and truths, I looked at the “little bit right, little bit wrong” set of opinions in the world of email. It’s interesting to see the kinds of proclamations people make and how those line up against what we see in the world.
We attended M³AAWG, which is always a wonderful opportunity for us to catch up with smart people and look at the larger email ecosystem and how important our work on messaging infrastructure and policy really is. I was glad to see the 2017 Mary Litynski Award go to Mick Moran of Interpol for his tireless work fighting abuse and the exploitation of children online. I also wrote about how people keep wanting to quote ISP representatives on policy issues, and the origin of “Barry” as ISP spokesperson (we should really add “Betty” too…)
Steve took a turn as our guest columnist for “Ask Laura” this month with a terrific post on why ESPs need so many IP addresses. As always, we’d love to get more questions on all things email — please get in touch!

Truth, myths and realities

For a long time it was a known fact that certain ISPs recycled abandoned addresses into spamtraps. There were long discussions by senders about this process and how it happened. Then at a conference a few years ago representatives of ISPs got up and announced that they do not recycle addresses. This led to quite a bit of consternation about how deliverability folks were making things up and were untrustworthy and deceptive.

In the early 2000’s ISPs were throwing a lot of things at the wall to deal with mail streams that were 80 – 90% bulk. They tried many different things to try and tame volumes that were overwhelming infrastructure. ISPs did try recycled traps. I know, absolutely know, two did. I am very sure that others did, too, but don’t have specific memories of talking to specific people about it.
At that time, a lot of deliverability knowledge was shared through word of mouth. That turned into a bit of an oral history. The problem with oral history is that context and details get lost. We can use the story of the ISP that did/did not recycle traps as an example.
Deliverability folks talk about an ISP that recycles traps. They don’t mention how often it happens. Some folks make the assumption that this is an ongoing process. It’s not, but anyone who knows it’s not risks violating confidences if they correct it. Besides, if senders believe it’s an ongoing process maybe they’ll be better behaved. Eventually, the story becomes all ISPs recycle traps all the time. This is our “fact” that’s actually a myth.
Then an ISP employee goes to a conference an definitively states they don’t recycle traps. I believe he stated the truth as he knows it to be. That ISP moved on from recycled traps to other kinds of traps because there were better ways to monitor spam.
We were talking about this on one of the deliverability lists and I told another story.
[ISP] recycled addresses once – back when JD was there which must have been, oh, around 2005/6 or so. I heard this directly from JD. It wasn’t done again, but a whole bunch of people just assumed it was an ongoing thing. Since my knowledge was a private conversation between JD and me, I never felt comfortable sharing the information. Given the circumstances, I’ve decided it’s OK to start sharing that end of the story a little more freely.
No one set out to create a myth, it just happened. No one intended to mislead. But sometimes it happens.

What about the spamtraps?

I’ve been slammed the last few days and blogging is that thing that is falling by the wayside most. I don’t expect this to change much in the very short term. But, I do have over 1200 blog posts, some of which are still relevant. So I’ll be pulling some older posts out and sharing them here while I’m slammed and don’t have a lot of time left over to generate new content.
Today’s repost is a 2015 post about spamtraps.
Spamtraps are …
… addresses that did not or could not sign up to receive mail from a sender.
… often mistakenly entered into signup forms (typos or people who don’t know their email addresses).
… often found on older lists.
… sometimes scraped off websites and sold by list brokers.
… sometimes caused by terrible bounce management.
… only a symptom …

September 2015: The month in email

September’s big adventure was our trip to Stockholm, where I gave the keynote address at the APSIS Conference (Look for a wrapup post with beautiful photos of palaces soon!) and had lots of interesting conversations about all things email-related.
Now that we’re back, we’re working with clients as they prepare for the holiday mailing season. We wrote a post on why it’s so important to make sure you’ve optimized your deliverability strategy and resolved any open issues well in advance of your sends. Steve covered some similar territory in his post “Outrunning the Bear”. If you haven’t started planning, start now. If you need some help, give us a call.
In that post, we talked a bit about the increased volumes of both marketing and transactional email during the holiday season, and I did a followup post this week about how transactional email is defined — or not — both by practice and by law. I also wrote a bit about reputation and once again emphasized that sending mail people actually want is really the only strategy that can work in the long term.
While we were gone, I got a lot of spam, including a depressing amount of what I call “legitimate spam” — not just porn and pharmaceuticals, but legitimate companies with appalling address acquisition and sending strategies. I also wrote about spamtraps again (bookmark this post if you need more information on spamtraps, as I linked to several previous discussions we’ve had on the subject) and how we need to start viewing them as symptoms of larger list problems, not something that, once eradicated, means a list is healthy. I also posted about Jan Schaumann’s survey on internet operations, and how this relates to the larger discussions we’ve had on the power of systems administrators to manage mail (see Meri’s excellent post here<).
I wrote about privacy and tracking online and how it’s shifted over the past two decades. With marketers collecting and tracking more and more data, including personally-identifiable information (PII), the risks of organizational doxxing are significant. Moreso than ever before, marketers need to be aware of security issues. On the topic of security and cybercrime, Steve posted about two factor authentication, and how companies might consider providing incentives for customers to adopt this model.

It's not about the spamtraps

I’ve talked about spamtraps in the past but they keep coming up in so many different discussions I have with people about delivery that I feel the need to write another blog post about them.
Spamtraps are …
… addresses that did not or could not sign up to receive mail from a sender.
… often mistakenly entered into signup forms (typos or people who don’t know their email addresses).
… often found on older lists.
… sometimes scraped off websites and sold by list brokers.
… sometimes caused by terrible bounce management.
… only a symptom …

Only spamtraps matter, or do they?

I received mail from Mitusbishi UK over the weekend, telling me that as a subscriber I was eligible to buy a car from one of their dealers, or something. I didn’t actually read the whole thing. While I am competent in a right hand drive, even when it’s a manual, it’s not something I want to try over here in the US.
The address the message came to is one that I’ve had for around 15 years now. But it’s not an address I’ve really ever used for anything. When I have used it, the address is tagged. The bare address has never been handed out.
When I sent the report in to SmartFocus, I commented this wasn’t an opt-in address and that it was, in fact, a spamtrap. Is it? Well, it certainly never signed up for UK car offers. Or any UK mail for that matter. I’ve never opted in to things with it. No one before me had the address.
I know why I mentioned it was a spamtrap… because sometimes it seems like the only way to get some senders to pay attention is if you call the address a trap. Mail to actual users is not a problem, it’s only mail to spamtraps that gets some compliance departments interested in an issue. Without the address begin labeled a spamtrap, the address is just marked as “complaint” and removed from further sends.
I wonder if we, and I include myself in that we, have made it harder to deal with spam by focusing on spamtraps rather than permission. Sure, we did it for a good reason – it’s hard to argue that an address that has never been used by a person signed up to receive mail. But now we have companies trying to create and monetize spamtrap networks because people care about spamtraps.
It’s a less conflict laden conversation when we can say “these addresses didn’t opt-in, they don’t exist.” But somehow “spamtrap” carries more weight than “bounce.” I’m not sure that’s a good distinction, bounces are all potential traps, and I do know some people go through their incoming logs and see what addresses they are bouncing mail to and then turn those addresses on.
Focusing on traps makes some conversations easier. But maybe we need to be having harder conversations with clients and senders and marketers. Maybe lack of spamtraps isn’t a sign of a good list. Maybe good lists are quantified by other things, like response and engagement and ROI.

I use tom@hotmail.com as my default bogus email address. Tom has subscribed to so many things because of me.
Read More

Three things marketers should do when domains are retired

A few weeks ago I was alerted to a domain change for INGDirect. The ingdirect.com domain is being retired and all users are migrating to the capitalone.com domain. As part of this change usernames are NOT being transferred, so if you have @ingdirect.com addresses on any B2B mailing list, you will need to drop those addresses and find the new contact information for the subscriber.

Typo traps

People make all sorts of claims about typo traps. One claim that showed up recently was that Spamhaus has just started using typo traps. I asked my Facebook network when people started using typos to detect incoming spam.
Two different colleagues mentioned using typos, both on the left hand side and the right hand side, back in ’98 and ’99.
The point is, typo traps are absolutely nothing new. They are, in fact, as old as spam filtering itself. And as one of trap maintainers remind me, not all of them even look like typos. It’s not as simple as hotmial.com or gmial.com.
I really think that focusing on traps is paying attention to the wrong thing.
The traps are not the issue. The underlying issue is that people are signing up addresses that don’t belong to them. Sometimes those are addresses that are spamtraps. Sometimes those are simply addresses that belong to someone else. Those addresses don’t belong to customers, they belong to random people who may never have heard of the sender. Sending mail to those people is sending spam.
Just trying to remove traps from your address lists isn’t going to solve the underlying problem. Instead, focus on improving your data process to keep from sending mail to random strangers.

It's about the spam

Tell someone they have hit a spamtrap and they go through a typical reaction cycle.
Denial: I didn’t hit a trap! I only send opt-in mail. There must be some mistake. I’m a legitimate company, not a spammer!
Anger: What do you mean that I can’t send mail until I’ve fixed the problem? There is no problem! You can’t stop me from mailing. I’m following the law. My mail is important. I’ll sue.
Bargaining: What if I just send mail to some recipients? What if I hire an email hygiene company to remove traps from my list?
Acceptance: What can I do to make sure the people I’m mailing actually want to be on my list?
Overall, my problem with the focus on spamtraps (and complaints to a lesser extent) is that these metrics are proxies. Spamtraps are a way to objectively monitor incoming email. Mail sent to spamtraps is, demonstrably, sent without permission of the address owner. This doesn’t mean all mail from the same source is spam, but there is proof at least some of the mail is spam.
If there is enough bad mail on that list, then reworking the subscription process may be necessary to fix delivery.

April: The month in email

April was a big month of changes in the email world, and here at Word to the Wise as we launched our new site, blog and logo.
DMARC
The big story this month has been DMARC, which started with a policy change Yahoo made on April 4 updating their DMARC policy from “report” to “reject”. We began our coverage with a brief DMARC primer to explain the basics around these policy statements and why senders are moving in this direction. We shared some example bounces due to Yahoo’s p=reject, and talked about how to fix discussion lists to work with the new Yahoo policy. We gathered some pointers to other articles worth reading on the Yahoo DMARC situation, and suggested some options for dealing with DMARC for mail intermediaries. Yahoo issued a statement about this on April 11th, explaining that it had been highly effective in reducing spoofed email. We also noted a great writeup on the situation from Christine at ReturnPath. On April 22nd, AOL also announced a DMARC p=reject record. We talked a bit about who might be next (Gmail?) and discussed how Comcast chose to implement DMARC policies, using p=reject not for user email, but only for the domains they use to communicate directly with customers. We expect to see more discussion and policy changes over the next few weeks, so stay tuned.
Spamtraps
We wrote three posts in our continuing discussion about spamtraps. The first was in response to a webinar from the DMA and EEC, where we talked about how different kinds of traps are used in different ways, and, again, how spamtraps are just a symptom of a larger problem. Following that, we wrote more about some ongoing debate on traps as we continued to point out that each trap represents a lost opportunity for marketers to connect with customers, which is really where we hope email program managers will focus. And finally, we tried to put some myths about typo traps to rest. As I mentioned in that last post, I feel like I’m repeating myself over and over again, but I want to make sure that people get good information about how these tools are used and misused.
Security
We started the month by saying “Security has to become a bigger priority for companies” and indeed, the internet continued to see security breaches in April, including the very serious Heartbleed vulnerability in SSL. In the email world, AOL experienced a compromise, which contributed to some of the DMARC policy changes we discussed above. In a followup post, we talked about how these breaches appear to be escalating. Again, we expect to hear more about this in the next weeks and months.
Best Practices
Ending on a positive note, we had a few posts about best practices and some email basics. We started with a pointer to Al Iverson’s post on masking whois info and why not to do it. Steve wrote up a comprehensive post with everything you ever wanted to know about the From header and RFC5322. I talked about how companies ignore opt-outs, and why they shouldn’t. I shared a really good example of a third-party email message, and also talked about message volume. And finally, we talked about how and why we warm up IP addresses.
Let us know if there’s anything you’d like to hear more about in May!

The true facts of spam traps and typo traps

I’m seeing an increase in the number of articles stating wildly wrong things about spam traps. Some have started claiming that typo traps are new. Or that typo traps are newly used by Spamhaus. These claims make for great copy, I guess. Wild claims about how the evil anti-commerce self-appointed internet police are actively trying to trap marketers get clicks. These claims also reinforce the martyr complex some senders have and gives them something to commiserate about over drinks at the next email conference.
I strongly recommend ignoring any article that claims Spamhaus started using typo traps in December 2012. In fact, you can immediately dismiss absolutely everything they have to say. They are wrong and have proven they can’t be bothered to do any fact checking.
I can’t figure out why so many people repeat the same false statements over and over and over again. They’re wrong, and no amount of explaining the truth seems to make any difference. I went looking for evidence.
First, I asked on Facebook. A bunch of my contacts on Facebook have have been running spam traps for a long time. Multiple people commented that they, personally, have been using typos to track spam since the late ’90s. These typos were on both the right hand side of the @ sign (the domain side) but also on the left hand side of the @ sign (the username).
Then, I looked through my archives of one of the anti-spam mailing lists and I see a Spamhaus volunteer mentioning that he had already been using typo traps in 2007. I asked him about this and he pointed out these are some of his older traps and had been around for many years before that mention.
Of course, we’ve written about typo domains used by an anti-spam group to catch spam.
The truth is, typo traps are not new and they’re not a new set of traps for Spamhaus. I’ve talked about traps over and over again. But I’m seeing more and more articles pop up that make verifiably wrong statements about spam traps. Here are a few facts about spam traps.

Spamtraps, again.

The DMA and EEC hosted a webinar today discussing spam traps. Overall, I thought it was pretty good and the information given out was valuable for marketers.
My one big complaint is that they claimed there were only two kinds of spam traps, and then incorrectly defined one of those types. They split spam traps into “pristine” and “recycled.” Pristine traps were defined as addresses that never belonged to a user, but were seeded out on the internet to catch people harvesting addresses off websites.
While dropping addresses on websites is one way people create spam traps, there are uncounted numbers of traps that receive spam (even from some big name brands) that have never been published anywhere. One very common source of trap addresses is Usenet message IDs. I don’t think anyone can really say these were seeded in an effort to catch people harvesting, they were part of posting to Usenet. Another common source of trap addresses is spammers creating email addresses; they take the left hand side of every address on a list and pair that with all the unique right hand sides of the same list. Massive list growth with a chance that some of those addresses will be valid.
I’ve talked about different kinds of spamtraps in depth previously and how the different traps are used in different ways. I also talked about how those different types of traps tell the recipients different things.
Another critical thing to remember about traps is they are not the problem. Spamtrap hits are a symptom of a larger problem with your list acquisition process. Every spam trap on your list is a failure to actually connect with a recipient. If you’re using an opt-in method to collect addresses traps mean that either a user didn’t really want to opt in or you managed to not accurately collect their information.
One of the things I get frustrated with when dealing with potential customers is their laser like focus on “getting the traps off our list.” I really believe that is not the right approach. Just getting the traps off is not going to do anything to improve your delivery over the long term. Instead of focusing on the traps, focus on the reasons they’re there. Look at how you can improve your processes and address collection so that you actually get the correct addresses of the people who really do want that mail.
Other posts about spam traps

Changes at Spamcop

Earlier this week some ESPs started asking if other ESPs have seen an uptick in Spamcop listings. The overwhelming answer (9 of 11 ESP representatives) said yes. I’ve also had clients start to ask me about Spamcop listings. All in all, there seems to be some changes at Spamcop that means more senders are showing up on the Spamcop radar.
Luckily, Spamcop provides us some insight into their data processing. If you look at the current monthly volume graph, we can see some very interesting changes in data.

Delivery implications of Yahoo releasing usernames

Yahoo announced a few weeks ago it would be releasing account names back into the general pool. This, understandably, caused a lot of concern among marketers about how this would affect email delivery at Yahoo. I had the opportunity to talk with a Yahoo employee last week, and ask some questions about how this might affect delivery.
Q: How many email addresses are affected?

TWSD: Mail known spam trap addresses

One of the things we all “know” is that if spammers get their hands on spamtrap addresses then they’ll stop sending mail to those addresses. This is true for a lot of spammers, but sadly it’s not true for all.
I don’t think it’s any secret that I consult for all types of mailers, from those who just need a little tune up to those who want me to help them avoid filters and blocking. During some of these consulting projects, I use my own spam folder as research and provide information on the spam that I am receiving from them.
A few years ago I was working with a company who hires a lot of different affiliates to send acquisition email. A few of their affiliates had really poor practices and they were trying to figure out which affiliates were the problem. I handed over a number of mails from my personal spam traps, in order to help them identify the problem affiliate.
I told them, and their affiliate, what my spamtrap addresses were. And, for many years I stopped receiving that particular spam. But, over the last few weeks I’ve seen a significant uptick in spam advertising my former client.
I’m certainly not trying to convince anyone that handing over spamtraps is a good thing. But there is at least some evidence out there that they’re not even competent enough to permanently remove traps. I really have to wonder at how sloppy some marketers are, too, that they’ll hire spammers and not at least hand over a list of addresses they know are bad addresses to mail.
I really thought spammers were smarter than that. I am, apparently, wrong.
EDIT: Of course, mailing this spamtrap gets them nothing but a little ranty blog post here. It doesn’t result in blocking, or disconnection from their ISP or their ESP or anything else. I suspect if there was actually an affect, like, say, I started forwarding this mail to Spamhaus or other filtering companies, they might stop mailing this address. Anyone want a 20 year old, slightly used spam trap?

Do you have an abuse@ address?

I’ve mentioned multiple times before that I really don’t like using personal contacts until and unless the published or official channels fail. I don’t hold this opinion just about resolving delivery issues, but also use official channels when reporting spam to one of my addresses or spam traps.
My usual complaints contain a plain text copy of the mail, including full headers and a short summary of the email address it was sent to. “This is an address that was part of a leak from…” or “This is an address scraped off my website. It’s been removed from the website since 2004” or “This address isn’t used to sign up for any mail.”
Sadly, there are a number of “legitimate” ESPs that don’t have or don’t monitor their abuse address. In some cases it’s an oversight or a break down of internal mail handling. But in most cases, it’s a sign that the ESP doesn’t actually handle abuse.
It’s frustrating to watch an ESP post long blog posts about “best practices” and “effective delivery” and “not spamming” and yet not be able to actually stop their own customers from spamming. It’s not even that I necessarily want them to disconnect their spamming customers (although that would be nice) but suppressing the address that I’ve told them was a spamtrap seems trivial. And yet, a month after my first complaint and weeks after escalating to a personal contact, I’m still getting spam.
The 5 things every ESP should do to handle spam complaints.

Spamhaus answers questions

Lost in all of the DOS attack news this week is that the first installment of Spamhaus answering questions from marketers in Ken Magill’s newsletter.
It’s well worth a read for anyone who is interested in hearing directly from Spamhaus.
One quote stood out for me, and it really sums up how I try to work with clients and their email programs.

Spamhaus Speaks

There’s been a lot of discussion about Spamhaus, spam traps, and blocking. Today, Spamhaus rep Denny Watson posted on the Spamhaus blog about some of the recent large retailer listings. He provides us with some very useful information about how Spamhaus works, and gives 3 case studies of recent listings specifically for transactional messages to traps.
The whole thing is well worth a read, and I strongly encourage you to check out the whole thing.
There are a couple things mentioned in the blog that I think deserve some special attention, though.
Not all spam traps actually accept mail. In fact, in all of the 3 case studies, mail was rejected during the SMTP transaction. This did not stop the senders from continuing to attempt to mail to that address, though. I’ve heard over and over again from senders that the “problem” is that spamtrap addresses actually accept mail. If they would just bounce the messages then there would be no problem. This is clearly untrue when we actually look at the data. All of the companies mentioned are large brick and mortar retailers in the Fortune 200. These are not small or dumb outfits. Still, they have massive problems in their mail programs that mean they continue to send to addresses that bounce and have always bounced.
Listings require multiple hits and ongoing evidence of problems. None of the retailers mentioned in the case studies had a single trap hit. No, they had ongoing and repeated trap hits even after mail was rejected. Another thing senders tell me is that it’s unfair that they’re listed because of “one mistake” or “one trap hit.” The reality is a little different, though. These retailers are listed because they have horrible data hygiene and continually mail to addresses that simply don’t exist. If these retailers were to do one-and-out or even three-and-out then they wouldn’t be listed on the SBL. Denny even says that in the blog post.

Q3 Email intelligence report from Return Path

Return Path released their 3rd quarter email intelligence report this week. And the numbers aren’t looking that great for marketers.
Complaints are a major problem for commercial mailers. In the data Return Path examined, commercial mail made up 18% of the total inbox volume. That same mail accounted for 70% of all email complaints.
Additionally, 60% of the email sent to spamtraps was commercial email.
The combination of complaints and spamtrap hits mean 16% of commercial email doesn’t make it to the inbox.
And, as no surprise to anyone, Postini is the worst performing B2B filter out there. Folks behind postini filters only get 23% of the email they’re sent in their inbox. And 44% of that mail is just outright lost.
Ken Magill article.
DMNews article.

Poisoning Spamtraps

Today’s question comes from Dave in yesterday’s comment section.

I wonder if spammers might submit harvested addresses to big-name companies known to not use confirmed opt-in just to poison what they believe might be spamtraps?
Read More

Harvesting and forging email addresses

For the contact address on our website, Steve has set up a rotating set of addresses. This is to minimize the amount of spam we have to deal with coming from address harvesters. This has worked quite well. In fact it works so well I didn’t expect that publishing an email address for taking reader questions would generate a lot of spam.
Boy, was I wrong. That address has been on the website less than a month and I’m already getting lots of spam to it. Most of it is business related spam, but there’s a couple things that make me think that someone has been signing that address up to mailing lists.
One is the confirmation email I received from Yelp. I don’t actually believe Yelp harvested my address and tried to create me an email account. I was happy when I got the first mail from Yelp. It said “click here to confirm your account.” Yay! Yelp is actually using confirmations so I just have to ignore the mail and that will all go away.
At least I was happy about it, until I started getting Yelp newsletters to that address.
Yelp gets half a star for attempting to do COI, but loses half for sending newsletters to people who didn’t confirm their account.
I really didn’t believe that people would grab a clearly tagged address off the blog and subscribe it to mailing lists or networking sites. I simply didn’t believe this happened anymore. I know forge subscribing used to be common, but it does appear that someone forge signed me up for a Yelp account. Clearly there are more dumb idiots out there than I thought.
Of course, it’s not just malicious people signing the address up to lists. There are also spammers harvesting directly off the website.
I did expect that there would be some harvesting going on and that I would get spam to the address. I am very surprised at the volume and type of spam, though. I’m getting a lot of chinese language spam, a lot of “join our business organization” spam and mail claiming I subscribed to receive their offers.
Surprisingly, much of the spam to this address violates CAN SPAM in some way shape or form. And I can prove harvesting, which would net treble damages if I had the time or inclination to sue.
It’s been an interesting experience, putting an unfiltered address on the website. Unfortunately, I am at risk of losing your questions because of the amount of spam coming in. I don’t think I’ve missed any, yet, but losing real mail is always a risk when an address gets a lot of spam – whether or not the recipient runs filters.
I’m still pondering solutions, but for now the questions address will remain as it is.

What causes Spamhaus CSS listings

Today’s Wednesday Question comes from Zaib F.

What causes the Spamhaus CSS listing in your experience other than Sender using multiple sets of IPs, to look as if they are a valid sender. Do you think a Spamtrap plays a role?
Read More

Equivocating about spamtraps

What is a spamtrap? According to a post I saw on Twitter:

Spamtraps are not the problem

Often clients come to me looking for help “removing spamtraps from their list.” They approach me because they’ve found my blog posts, or because they’ve been recommended by their ISP or ESP or because they found my name on Spamhaus’ website. Generally, their first question is: can you tell us the spamtrap addresses on our lists so we can remove them?
My answer is always the same. I cannot provide a list of spamtrap addresses or tell you what addresses to remove. Instead what I do is help clients work through their email address lists to identify addresses that do not and will not respond to offers. I also will help them identify how those bad addresses were added to the list in the first place.
Spamtraps on a list are not the problem, they’re simply a symptom of the underlying data hygiene problems. Spamtraps are a sign that somehow addresses are getting onto a list without the permission of the address owner. Removing the spamtrap addresses without addressing the underlying flaws in data handling may mean resolving immediate delivery issues, but won’t prevent future problems.
Improving data hygiene, particularly for senders who are having blocking problems due to spam traps, fixes a lot of the delivery issues. Sure, cleaning out the traps removes the immediate blocking issue, but it does nothing to address any other addresses on the list that were added without permission. In fact, many of my clients have discovered an overall improvement in delivery after addressing the underlying issues resulting in spamtraps on their lists.
Focusing on removing spamtraps, rather than looking at improving the overall integrity of data, misses the signal that spamtraps are sending.

Dear Email Address Occupant

There’s a great post over on CircleID from John Levine and his experience with a marketer sending mail to a spam trap.
Apparently, some time back in 2002 someone opted in an address that didn’t belong to them to a marketing database. It may have been a hard to read scribble that was misread when the data was scanned (or typed) into the database. It could be that the person didn’t actually know their email address. There are a lot of ways spamtraps can end up on lists that don’t involve malice on the part of the sender.
But I can’t help thinking that mailing an address for 10 years, where the person has never ever responded might be a sign that the address isn’t valid. Or that the recipient might not want what you’re selling or, is not actually a potential customer.
I wrote a few weeks back about the difference between delivery and marketing. That has sparked conversations, including one where I discovered there are a lot of marketers out there that loathe and despise delivery people. But it’s delivery people who understand that not every email address is a potential purchaser. Our job is to make sure that mail to non-existent “customers” doesn’t stop mail from actually getting to actual potential customers.
Email doesn’t have an equivalent of “occupant” or “resident.” Email marketers need to pay attention to their data quality and hygiene. In the snail mail world, that isn’t true. My parents still get marketing mail addressed to me, and I’ve not lived in that house for 20+ years. Sure, it’s possible an 18 year old interested in virginia slims might move into that house at some point, and maybe that 20 years of marketing will pay off. It only costs a few cents to keep that address on their list and the potential return is there.
In email, though, sending mail to addresses that don’t have a real recipient there has the potential to hurt delivery to all other recipients on your list. Is one or two bad addresses going to be the difference between blocked and inbox? No, but the more abandoned addresses and non-existent recipients on a list there are on a list, the more likely filters will decide the mail isn’t really important or wanted.
The cost of keeping that address, one that will never, ever convert on a list may mean losing access to the inbox of actual, real, converting customers.

Information sharing and the Internet

Many years ago I was working at the UW-Madison. Madison is a great town, I loved it a lot. One of the good bits was this local satire paper called The Onion. This paper would show up around campus on Wednesdays. Our lab, like many university employees and students, looked forward to Wednesday and the new humor The Onion would bring to us.
At the same time, I was internet friends with an employee of JPL. I’d met him, like I met many of my online acquaintances, through a pet related mailing list.
One Wednesday, The Onion published an article Mir Scientists Study Effects of Weightlessness on Mortal Terror. As this was the time when the Internet consisted of people banging rocks together, there was not an online link to Onion articles. But I was sure my friend at JPL, and all his friends, would appreciate the joke. That night I stayed late at the lab and typed the article into an email (with full credit to the Onion) and mailed it off to him.
As expected, the article garnered quite a few chuckles and was passed around to various folks inside JPL. What wasn’t expected was another friend, from totally different circles, sending me a copy of that same article 3 days later. Yes, in 1997 it took three days for information to be shared full circle on the Internet.
Information sharing is a whole lot quicker now, with things coming full circle in mere seconds. But that doesn’t make the information any more reliable and true. Take a recent article in ZDNet Research: Spammers actively harvesting emails from Twitter in real-time.
ZDNet links to a study published by Websense, claiming that email addresses on Twitter were available for harvesting.
That’s all well and good, but all ZDNet and Websense are saying is that email addresses are available for harvesting. I’ve not seen any evidence, yet, that spammers are harvesting and sending to them. This doesn’t, of course, mean they’re not, but it would be nice to see the spam email received at an address only shared on twitter.
Well, I have unique addresses and an un-spamfiltered domain. I went ahead and seeded a tagged address onto twitter. We’ll see if it gets harvested and spammers start sending to it. I’ll be sure to keep you updated.

Audit trails are important.

One of the comments on my Spamtraps post claims that audit trails should be maintained by recipients, not senders.

I believe that spamtraps – for the professional marketer – are scare tactics that are no longer relevant. a professional marketer
Read More

Don't think bounce handling is important?

James from Cloudmark has his own insight on spamtraps.

The sledgehammer of confirmed opt-in

We focused Monday on Trend/MAPS blocking fully confirmed opt-in (COI) mail, because that is the Gold Standard for opt-in. It is also Trend/MAPS stated policy that all mail should be COI. There are some problems with this approach. The biggest is that Trend/MAPS is confirming some of the email they receive and then listing COI senders.
The other problem is that typos happen by real people signing up for mail they want. Because MAPS is using typo domains to drive listings, they’re going to see a lot of mail from companies that are doing single opt-in. I realize that there are problems with single opt-in mail, but the problems depends on a lot of factors. Not all single opt-in lists are full of traps and spam and bad data.
In fact, one ESP has a customer with a list of more than 50 million single opt-in email addresses. This sender mails extremely heavily, and yet sees little to no blocking by public or private blocklists.
Trend/MAPS policy is singling out senders that are sending mail people signed up to receive. We know for sure that hard core spammers spend a lot of time and money to identify spamtraps. The typo traps that Trend/MAPS use are pretty easy to find and I have no doubt that the real, problematic spammers are pulling traps out of their lists. Legitimate senders, particularly the ESPs, aren’t going to do that. As one ESP rep commented on yesterday’s post:

A Disturbing Trend

Over the last year or so we’ve been hearing some concerns about some of the blacklisting policies and decisions at Trend Micro / MAPS.
One common thread is that the ESP customers being listed aren’t the sort of sender who you’d expect to be a significant source of abuse. Real companies, gathering addresses from signup forms on their website. Not spammers who buy lists, or who harvest addresses, or who are generating high levels of complaints – rather legitimate senders who are, at worst, being a bit sloppy with their data management. When Trend blacklist an IP address due to a spamtrap hit from one of these customers the actions they are demanding before delisting seem out of proportion to the actual level of abuse seen – often requiring that the ESP terminate the customer or have the customer reconfirm the entire list.
“Reconfirming” means sending an opt-in challenge to every existing subscriber, and dropping any subscriber who doesn’t click on the confirmation link. It’s a very blunt tool. It will annoy the existing recipients and will usually lead to a lot of otherwise happy, engaged subscribers being removed from the mailing list. While reconfirmation can be a useful tool in cleaning up senders who have serious data integrity problems, it’s an overreaction in the case of a sender who doesn’t have any serious problems. “Proportionate punishment” issues aside, it often won’t do anything to improve the state of the email ecosystem. Rather than staying with their current ESP and doing some data hygiene work to fix their real problems, if any, they’re more likely to just move elsewhere. The ESP loses a customer, the sender keeps sending the same email.
If this were all that was going on, it would just mean that the MAPS blacklists are likely to block mail from senders who are sending mostly wanted email.
It’s worse than that, though.
The other thread is that we’re being told that Trend/MAPS are blocking IP addresses that only send confirmed, closed-loop opt-in email, due to spamtrap hits – and they’re not doing so accidentally, as they’re not removing those listings when told that those addresses only emit COI email. That’s something it’s hard to believe a serious blacklist would do, so we decided to dig down and look at what’s going on.
Trend/MAPS have registered upwards of 5,000 domains for use as spamtraps. Some of them are the sort of “fake” domain that people enter into a web form when they want a fake email address (“fakeaddressforyourlist.com”, “nonofyourbussiness.com”, “noneatall.com”). Some of them are the sort of domains that people will accidentally typo when entering an email address (“netvigattor.com”, “lettterbox.com”, “ahoo.es”). Some of them look like they were created automatically by flaky software or were taken from people obfuscating their email addresses to avoid spam (“notmenetvigator.com”, “nofuckinspamhotmail.com”, “nospamsprintnet.com”). And some are real domains that were used for real websites and email in the past, then acquired by Trend/MAPS (“networkembroidery.com”, “omeganetworking.com”, “sheratonforms.com”). And some are just inscrutable (“5b727e6575b89c827e8c9756076e9163.com” – it’s probably an MD5 hash of something, and is exactly the sort of domain you’d use when you wanted to be able to prove ownership after the fact, by knowing what it’s an MD5 hash of).
Some of these are good traps for detecting mail sent to old lists, but many of them (typos, fake addresses) are good traps for detecting mail sent to email addresses entered into web forms – in other words, for the sort of mail typically sent by opt-in mailers.
How are they listing sources of pure COI email, though? That’s simple – Trend/MAPS are taking email sent to the trap domains they own, then they’re clicking on the confirmation links in the email.
Yes. Really.
So if someone typos their email address in your signup form (“steve@netvigattor.com” instead of “steve@netvigator.com”) you’ll send a confirmation email to that address. Trend/MAPS will get that misdirected email, and may click on the confirmation link, and then you’ll “know” that it’s a legitimate, confirmed signup – because Trend/MAPS did confirm they wanted the email. Then at some later date, you’ll end up being blacklisted for sending that 100% COI email to a “MAPS spamtrap”. Then Trend/MAPS require you to reconfirm your entire list to get removed from their blacklist – despite the fact that it’s already COI email, and risking that Trend/MAPS may click on the confirmation links in that reconfirmation run, and blacklist you again based on the same “spamtrap hit” in the future.

A brief guide to spamtraps

“I thought spamtraps were addresses harvested off webpages.”

“I thought spamtraps were addresses that were valid and now aren’t.”

Spamtraps

There is a lot of mythology surrounding spamtraps, what they are, what they mean, how they’re used and how they get on lists.
Spamtraps are very simply unused addresses that receive spam. They come from a number of places, but the most common spamtraps can be classified in a few ways.

We only mail people who sign up!

I get a lot of calls from clients who can’t understand why they have spamtraps on their lists. Most of them tell me that they never purchase or rent lists, and they only mail to people who sign up on their website. I believe them, but not all of the data that people input into webforms is correct.
While I don’t have any actual numbers for how many people lie in forms, there was a slashdot poll today that asked readers “How truthful are you when creating web accounts?”. The answer seems to be “not very” at least for the self-selected respondents.

Reputation

Reputation is the buzzword in delivery these days. Everyone talks about building a good reputation and how to do it. Makes sense, the ISPs are always hammering on reputation and how critical reputation is. The more I talk with delivery folks on the ESP side of thing, the move I realize that there is a fundamental disconnect between what the ESPs mean when they say reputation and what the ISPs mean when they say reputation.
Many people handling delivery think that the bulk of reputation is wrapped up in complaint rates and bounce rates. I think they know the ISPs measure more than just complaints and bounces (spamtraps!) but really believe that most of developing a good reputation is all about keeping those complaints low.
This perspective may have been true in the past, but is becoming less true as time goes on. There are a lot of very smart people managing incoming mail at the ISPs and they are constantly looking for ways to better meet the desires of their customers. Lest we forget, their customers are not the senders, their customers are the end users. Their customers are not senders.
Part of meeting the needs of end users means actually giving them a way to provide feedback. AOL started the trend with the this-is-spam button, and other ISPs (ones that controlled the user interface at least) followed suit. For a very long time, reputation was dominated by complaint percentages, with modifiers for number of spamtrap addresses and number of non-existent users.
The problem is, these numbers were easy to game. Spammers could modify their metrics such that their email would end up in the inbox. In response, the ISPs started measuring things other than complaints, bounces and spamtraps. These other measurements are strong modifiers to complaints, such that mailers with what used to be acceptable complaint rates are seeing their mail end up bulked or even rejected.
Recently, AOL seems to have made some subtle modifications to their reputation scores. The result is mailers who have previously acceptable complaint rates are seeing delivery problems. When asked, AOL is only saying that it is a reputation issue. Lots of senders are trying to figure out what it is that is more important than complaints.
Tomorrow, I will talk about what I think AOL could be measuring.