AARP, SureClick, Offerweb and Spam

On Tuesday Laura wrote about receiving spam sent on behalf of the AARP. The point she was discussing was mostly just how incompetent the spammer was, and how badly they’d mangled the spam such that it was hardly legible.
One of AARPs interactive advertising managers posted in response denying that it was anything to do with the AARP.

This isn’t from AARP…this is a SPAM that’s been going around for years now. Did you bother looking into the source code to see where it sends you? My guess is it aint AARP…Do you know what your talking about?

Yes, Scott, we do know what we’re talking about, and we did look into the source code.
Yesterday Laura discussed in general principles how mainstream companies typically send spam by hiring a company who hires a company who hires a company to send spam.
We’re fairly familiar with how this works – one of the things Word to the Wise does is to provide forensics and expert witness services in email-related cases – so we dug into this email so as to work out what the story behind it was.
The story, as far as we can tell at a quick look, is that the AARP hired a company called SureClick to generate “Qualified Leads”.

SureClick homepage
You can see that they’re fairly proud to have the AARP as a flagship client.
What do SureClick do for their flagship client? They pay affiliates to drive traffic to their AARP membership signup page. I’m not sure exactly how much they’re paying for each signup, but it must be more than $12 as that’s how much SureClick’s affiliates are, in turn, offering to pay their affilliates.
In the case of the spam sent to Laura the affiliate SureClick hired was OfferWeb. What do OfferWeb do? They pay affiliates to drive traffic to their landing page. Seeing a pattern yet?
OfferWeb then hired a hard core spammer to actually send the spam on AARPs behalf. This guy, apparently based in Utah but spamming from a machine hosted in Pennsylvania, is doing everything he can to avoid his spam being recognised and blocked, using dozens of domains and IP addresses and sending messages stuffed full of hashbusters that have hardly any text, just images, to try and hide from spam filters.
One irony is that the Pennsylvania ISP who is hosting the spammer is also the same ISP who host the email account the spam was sent to. Sometimes the best place to start cleaning up is close to home.
So the spammer sends out millions of pieces of email to addresses he’s harvested or bought, most of which is blocked or ends up in the junk folder. When someone responds he passes them on to OfferWeb, who pass them on to SureClick who sign them up for the AARP. Then the AARP pays SureClick, who keep some of the money and pay OfferWeb, who keep some of the money and give the rest to the spammer.
It’s the advertising budget at AARP, and hundreds of companies like them, that makes this sort of spamming worthwhile.
If you’re interested in where all this data came from, check back tomorrow.

Related Posts

Important notification spammers break the law

I’m currently being inundated at multiple address with spam advertising spamming services. Most of these notices have the subject line: IMPORTANT NOTIFICATION. The text includes:

Read More

Spam from mainstream companies

Yesterday I wrote about spam I received advertising AARP and used it as an example of a mainstream group supporting spammers by hiring them (or hiring them through proxies) to send mail on their behalf.
My statement appears to have upset someone, though. There is one comment on the post, coming from an IP address allocated to the AARP.

Read More

The legitimate email marketer

I cannot tell you how many times over the last 10 years I’ve been talking to someone with a problem and had them tell me “but I’m a legitimate email marketer.” Most of them have at least one serious problem, from upstreams that are ready to terminate them for spamming through widespread blocking. In fact, the practices of most companies who proclaim “we’re legitimate email marketers” are so bad that the phrase has entered the lexicon as a sign that the company is attempting to surf the gray area between commercial email and spam as close to the spam side of that territory as possible.
What do I mean by that? I mean that the address collection practices and the mailing processes used by self-proclaimed legitimate email marketers are sloppy. They don’t really care about individual recipients, they just care about the numbers. They buy addresses, they use affiliates, they dip whole limbs in the co-reg pool; all told their subscription practices are very sloppy. Because they didn’t scrape or harvest the email address, they feel justified in claiming the recipient asked for it and that they are legitimate.
They don’t really care that they’re mailing people who don’t want their mail and really never asked to receive it. What kinds of practices am I talking about?
Buying co-reg lists. “But the customer signed up, made a purchase, took an online quiz and the privacy policy says their address can be shared.” The recipient doesn’t care that they agreed to have their email address handed out to all and sundry, they don’t want that mail.
Arguing with subscribers. “But all those people who labeled my mail as spam actually subscribed!!!” Any time a mailer has to argue with a subscriber about the validity of the subscription, there is a problem with the subscription process. If the sender and the receiver disagree on whether there was really an opt-in, the senders are rarely given the benefit of the doubt.
Using affiliates to hide their involvement in spam. A number of companies use advertising agencies that outsource acquisition mailings that end up being sent by spammers. These acquisition mailings are sent by the same spammers sending enlargement spam. The advertiser gets all the benefits of spam without any of the consequences.
Knowing that their signup forms are abused but failing to stop the abuse. A few years back I was talking with a large political mailer. They were insisting they were legitimate email marketers but were finding a lot of mail blocked. I mentioned that they were a large target for people forging addresses in their signup form. I explained that mailing people who never asked for mail was probably the source of their delivery problems. They admitted they were probably mailing people who never signed up, but weren’t going to do anything about it as it was good for their bottom line to have so many subscribers.
Self described legitimate email marketers do the bare minimum possible to meet standards. They talk the talk to convince their customers they’re legitimate:

Read More