One way to deal with B2B spam

We’ve been talking a lot about B2B spam recently. I’ve posted repeatedly, Steve wrote a post about it yesterday. It’s in the forefront of our minds because we’re dealing with just so much of it. Multiple emails a day asking for “just 10 minutes of your time.” Of course, the 10 minutes isn’t really just 10 minutes. Sure, the call might be 10 minutes, but there’s overhead to that call that will probably eat 20 – 30 minutes of time. That’s at best.
Because they’re using providers who don’t notice or don’t care about the spam, there’s little to be done. No one is going to stop them from mailing me. They are required to comply with the law, but 99% of the mail doesn’t. Which gave me an idea.
I’ve started replying to every incident of “just 10 minutes of your time” with a pleasant email thanking them for their interest in our CAN SPAM verification program. I point out that I have noticed at least one violation and we’re happy to consult with them on how to fix it for a fee.
Wait? You mean they’re not interrupting my time simply to receive a sales pitch? Well. Gee. I’m just replying to them.
It seems petty, but we’re less than 2 weeks into 2017 and I already have over a dozen of these “one time” emails. If history tells me anything, these same people will follow up in a week, and then 2 weeks, and then a month. Meanwhile, new people are going to be sending me a request for 10 minutes of my time, and their followups and in a month I’ll be getting a dozen emails a week. In two months I’ll be getting 2 dozen. In 3 months it will be 4 dozen.
And, yeah, most of these messages do violate CAN SPAM. Most of them by not including an unsubscribe links, which makes getting the mail to stop a challenge. There’s no way to unsubscribe, so it’s either answer it or just keep getting contacted. I wrote last year about the woman who continued to email me for months. She even announced she was going to call 911 because clearly I was injured and unable to answer her mail.  Multiple times she promised to stop mailing me, but never did.
I do feel bad for many of these senders. They’ve been sold on a prospecting tool by vendors who fail to provide them with a minimal level of guidance. Even just mentioning that there are laws regulating email, and they should comply with them would be better than nothing.
In many ways I find this kind of spam more annoying than the viagra or the malware that ends up in my mailbox. Those can be selected and deleted pretty easily. These, however, have subject lines that look just like my legitimate business mail. I have to read them and figure stuff out. It’s a total PITA.
EDIT: And it’s not even effective according to some experts.

Related Posts

April 2016: The Month in Email

We are finishing up another busy month at WttW. April was a little nutty with network glitches, server crashes, cat woes, and other disruptions, but hopefully that’s all behind us as we head into May. I’ll be very busy in May as well, speaking at Salesforce Connections in Atlanta and the Email Innovation Summit in Las Vegas. Please come say hello if you’re attending either of these great events.
April2016MiE
Speaking of great events, I participated in two panels at EEC16 last month. We had a lot of great audience participation, and I met many wonderful colleagues. I wrote up some more thoughts about the conference here. I also had a nice conversation with the folks over at Podbox, and they’ve posted my interview on their site.
In the Podbox interview, as always, I talked about sending mail people want to receive. It always makes me roll my eyes a bit when I see articles with titles like “5 Simple Ways to Reach the Inbox”, so I wrote a bit about that here. In addition to sending mail people want to receive, senders need to make sure they are collecting addresses and building lists in thoughtful and sustainable ways. For more on this topic, check out my post on list brokers and purchased lists.
These same not-so-simple tricks came up again in my discussion of Gmail filters. Everyone wants a magic formula to reach the inbox, and — sorry to burst your bubble — there isn’t ever going to be one. And this is for a good reason: a healthy filter ecosystem helps protect all of us from malicious senders and criminal activity. The email channel is particularly vulnerable to fraud and theft. The constant evolution of filters is one way mail providers can help protect both senders and recipients — but it can be challenging for senders and systems administrators to keep up with this constant evolution. For example, companies sometimes even inadvertently filter their own mail!
I also wrote a bit about how B2B spam is different from B2C spam, and how marketers can better comply with CAN SPAM guidelines in order to reach the inbox. We also republished our much-missed friend and colleague J.D. Falk’s DKIM Primer, which is extremely useful information that was at a no-longer-active link.
One of my favorite posts this month was about “dueling data”, and how to interpret seemingly different findings around email engagement. We also got some good questions for my “Ask Laura” column, where we cover general topics on email delivery. This month we looked at “no auth/no entry” and the Microsoft Smartscreen filter, both of which are useful things to understand for optimizing delivery.
Finally, we are pleased to announce that we’ve joined the i2Coalition, an organization of internet infrastructure providers. They posted a nice introduction on their blog, and we look forward to working with them to help advocate and protect these important technical infrastructures.

Read More

It's still spam

Companies are always trying to find new ways to use and abuse email. My mailbox has been rife with mail from companies trying to sell me stuff for my business. It’s been interesting to watch the new ways they’re trying to get attention, while not honoring the most important rule of email marketing.
EmalMarketingForBlog

Read More

Google and Amazon and B2B spam

Many of the operational goals of a commercial spammer aren’t related to email delivery at all, rather they revolve around optimizing ROI and minimizing costs. That’s even more true when the spammer isn’t trying to sell their own product, rather they’re making money by sending spam for other companies.
Most legitimate network providers pay at least lip service to not allowing abusive behaviour such as spam from their networks, so a spammer has to make a few choices about what infrastructure to use to optimize their costs.
They can be open about who they are and what they do, and host with a reputable network provider, and build out mailservers much as any legitimate ESP would do. But eventually they’ll get blacklisted by one of the more reputable reputation providers – leading to little of their mail being delivered, and increasing the pressure on their provider to terminate them. They social engineer their provider’s abuse desk, and drag their feet, and make small changes, but eventually they’ll need to move to another provider. Both the delaying tactics and the finally moving are expensive.
Or they can host with a network provider who doesn’t care about abuse from their network, and do the same thing. But they’ll still get blacklisted and, unlike on a more reputable network, they’re much less likely to get any benefit of the doubt from any reputation providers.
Every time they get blacklisted they can move to a new network provider. That’s easy to do if your infrastructure is virtual machine based and moving providers just involves buying a new hosting account. But as anyone who’s heard the phrase “ramping-up” knows mail from new network space is treated with suspicion, and as they’re continually moving their mail won’t reach the inbox much.
Preemptively spreading the sources of your spam across many different IP addresses on different providers, and sending spam out at low enough levels from each address that you’re less likely to be noticed is another approach. This is snowshoe spam and spam filters are getting better at detecting it.
What to do? In order to get mail delivered to the inbox the spammer needs to be sending from somewhere with a good reputation, ideally intermingled with lots of legitimate email, so that the false-positive induced pain of blocking the mailstream would be worse than their spam. That’s one reason a lot of spammers send through legitimate ESPs. They’re still having to jump from provider to provider as they’re terminated, but now they’re relying on the delivery reputation of the shared IP pools at each new ESP they jump to. But that still takes work to move between ESPs. And ESP policy enforcement people talk to each other…
As a spammer you want your mail to be sent from somewhere with good reputation, somewhere you can use many different accounts, so your spam is spread across many of them,  flying below the radar. Ideally you wouldn’t have any documented connection to those accounts, so your activity won’t show up on any aggregated monitoring or reporting.
If nothing in the mail sent out identifies you there is nowhere for recipients to focus their ire. And if recipients can’t tell that the hundreds of pieces of spam in their inbox came from a single spammer, they’re much less likely to focus efforts on blocking that mail stream.
Over the past couple of years I’ve seen a new approach from dedicated B2B spammers, the sort who sell “buy and upload a list, blast out something advertising your company, track responses, send multiple mails over a series of weeks” services to salespeople. They’re the ones who tend to have glossy, legitimate websites, talking about “lead nurturing”, “automated drip campaigns” or “outreach automation”.
They have each of their customers sign up for gmail or google apps accounts, or use their existing google apps accounts, and then the spammer funnels the spam sent on behalf of that customer through that google account. There’s no obvious connection between the spammer and the google account so there’s no risk to the spammer. Google is fairly unresponsive to spam complaints, so as long as the volume sent by each customer isn’t spectacularly high it’s going to be well below Google automation’s threshold of notice.
Google do record where mail that’s injected into their infrastructure in this way comes from, in the Received headers. But the spammers run their sending infrastructure – list management, message composition, tracking and so on – on anonymous, throwaway virtual machines hosted on Amazon’s EC2 cloud, so there’s nothing in the email that leads back to the spammer.
And, for recipients, that’s a problem. Spam filters aren’t going to block this sort of mail, as they can’t easily tell it is this sort of mail. It’s coming from Google MTAs, just like a lot of legitimate mail does. In terms of sheer volume it’s dwarfed by botnet sourced mail or dubious B2B manufacturing spam out of Shenzhen. But, unlike most of that, it’s in your inbox, in front of your eyeballs and costing you time and focus. And that’s much more expensive than network infrastructure or mailbox storage space.
I’m not sure what, if anything, Google or Amazon can do about it at scale, but it’s something that’s going to need to be dealt with eventually.
Meanwhile, if you receive some marginally personalized mail from a sales rep, one attempting to look like 1:1 mail, look at the headers. If you see something like this …

Read More