Audit trails are important.

One of the comments on my Spamtraps post claims that audit trails should be maintained by recipients, not senders.

If people are using legitimate email addresses that legitimately opted in and verified details, they should be required to have a log of which lists they opted in to. You are just asking to hurt legit mailers.

The underlying reasoning appears to be that no sender ever spams, and every recipient or spamtrap owner is just too dumb to remember what they signed up for. If the recipient maintains a list of where they sign up, then spam will be a solved problem.
This is not only an unpersuasive line of argument, it’s also pretending that mailboxes are full of opt-in mail that the recipient just forgot about signing up for.
I do keep track of where I sign up for things. This doesn’t actually help when I get spam. For instance, I know that the address ticketmaster keeps spamming for raves in London was never used to sigh up for anything. Yet ticketmaster keeps telling me it was. They, of course, can’t tell me when or from where, so I treat the mail as spam.
I know that another address did sign up at a client’s site in 2007 as part of an audit I was doing for them. In 2010 that address was leaked to (or stolen by) a bunch of affiliate spammers. In the last 18 months I’ve gotten over 19,000 offers to the address, none of which are related to the original signup. Many of those offers are from real brands, including some that have hired me to investigate their affiliate programs and larger delivery problems.
I know another address was used during correspondence with a vendor discussing payment terms. That address was never given to them to add to a newsletter. They mailed me anyway. I knew that the mail was spam.
Knowing what you signed up for and having a log of what you opted in to doesn’t do anything to stop a sender from sending spam. It also doesn’t help legitimate mailers who may end up with spamtraps on their list. In all of the above situations my knowing where the address was given doesn’t help me or the sender identify what part of their signup process is broken.
If, however, senders had a real audit trail for addresses, they could identify what import brought my address into their list. They could track the dodgy vendor that is selling them bad lists. They can identify the problematic import that brought employee address books into the newsletter database. They could identify what idiot used my email address to buy tickets in London.
If the senders knew what was broken, they could fix the problem and have more deliverable and more responsive mailing lists. Without an audit trail, however, they’re stuck with a bunch of addresses of unknown provenance.

Related Posts

We only mail people who sign up!

I get a lot of calls from clients who can’t understand why they have spamtraps on their lists. Most of them tell me that they never purchase or rent lists, and they only mail to people who sign up on their website. I believe them, but not all of the data that people input into webforms is correct.
While I don’t have any actual numbers for how many people lie in forms, there was a slashdot poll today that asked readers “How truthful are you when creating web accounts?”. The answer seems to be “not very” at least for the self-selected respondents.

Read More

Defeating spamfilters through obsession

[The harasser] was hitting me on email and twitter for more than [2100 messages], and the thing was, those all got past the filters I’ve got in place. So one obsessed crazy man with minimal technical skill and nothing but persistence outperforms all the spambots out there, at least on the scale of individuals, if not in breadth of attack.
PZ Meyers

Read More

Spamtraps

There is a lot of mythology surrounding spamtraps, what they are, what they mean, how they’re used and how they get on lists.
Spamtraps are very simply unused addresses that receive spam. They come from a number of places, but the most common spamtraps can be classified in a few ways.

Read More