Spam from mainstream companies

Yesterday I wrote about spam I received advertising AARP and used it as an example of a mainstream group supporting spammers by hiring them (or hiring them through proxies) to send mail on their behalf.
My statement appears to have upset someone, though. There is one comment on the post, coming from an IP address allocated to the AARP.

This isn’t from AARP…this is a SPAM that’s been going around for years now. Did you bother looking into the source code to see where it sends you? My guess is it aint AARP…Do you know what your talking about?

What I’m talking about is one reason spam is such a problem. There are large number of mainstream companies, like AARP, that support spammers by hiring them either directly or indirectly.
Sure, the links in the email don’t point directly to the AARP. They go through multiple redirects and end up at https://www.aarpmembership.org/enroll/index.php<encodedlink>. I grabbed a screen shot of the website.

Screenshot of not-the-AARP spam landing page
Doesn't this look like an official AARP website?
If you pull off the encoded end of the link and just go to aarpmembership.com, then you get a 403 forbidden message. That’s what spammers do, put up partial websites to collect information. They don’t bother mirroring the customer’s whole website, they just put up a form to collect information.
Now, it’s certainly possible that this spam is from a group of phishers attempting to use the AARP brand. If that’s true, though, why is the commenter asking me if I know what I’m talking about? Why isn’t he concerned about the AARP brand being advertised in spam?
I’m not trying to pick specifically on the AARP, they’re not the only company to do this. Gerber hired spammers to sell me their baby-insurance package. Gevallia has been advertised by spam for years. The list of companies using spam goes on and on.
But this behaviour — hiring spammers to send mail while being able to claim it was the work of some spammer who just decided to send mail advertising AARP memberships, or Gerber baby insurance, or 500 business cards for a dollar is a major part of the spam problem. This is why the ISPs keep increasing their standards. This is why getting into the inbox is so difficult. This is why just being a legitimate company isn’t enough.

Related Posts

Watch those role accounts

Ben at Mailchimp has a post up explaining what role accounts are and why mailing to them can be a problem.

Read More

The psychic and the not-really-opt-in

I’ve been getting a continual stream of spam from a psychic. I blogged about it a few months ago, and even had a call with the psychic’s ESP. None of that seemed to matter. Every few days I’d get another ad for psychic candles, or recording services or whatever. It wasn’t mail I could easily filter, and every time I’d get it I’d growl and dump it in my junk folder.
Yesterday, I received another mail from her. The subject line is “list opt-in verification.” Really? Could she really be actually confirming her list? Actually asking if I want to continue receiving mail?

Read More

Blocklists, delisting and extortion

As I’m sure many of you have heard by now there is a new blocklist called ‘nszones.’ This blocklist is apparently stealing data from a number of other publicly accessible blocklists, combining the data and then charging folks for delisting.
This is a scam attempting to extort money from people. The blocklist has no way to actually remove IPs from the parent zones and I’m pretty sure they won’t even remove IPs from their own zones. In this case, the blocklist is clearly a scam, but there are other lists that are actually used by some mailservers that do charge for removal.
No legitimate blocklist will ever expect a listee to pay for delisting. Ever.
I feel very strongly about this. In fact, one of the major blocklists is run off a domain owned by Word to the Wise. Occasionally, I get contacted by folks looking for help with a listing on that list and I will not take them on as a client. I will provide general advice and make sure that they are correctly contacting the blocklist but nothing more.
This is, to my mind, the only ethical thing to do. I don’t even want a hint of impropriety surrounding either myself or the blocklist. Charging money for delisting only feeds the conspiracy theories.
Charging listees for removal (or listing listees so those charges can be a revenue source) is likely to lead to poor quality data and a blocklist that’s not terribly accurate nor effective. Furthermore, if a list operator is unethical or confrontational in their interactions with listees, they’re probably equally unprofessional in their interactions with potential list users. This results in few recipient domains actually using the list to block mail. Lists that charge are not widely used and being listed on them often does not affect email delivery in any appreciable manner.

Read More