Marketing automation plugins facilitate spam

There’s been an explosion of “Google plugins” that facilitate spam through Gmail and G Suite. They have a similar set of features. Most of these features act to protect the spammer from spam filtering and the poor reputation that comes from purchasing lists and incessantly spamming targets. Some of these plugins have all the features of a full fledged ESP, except a SMTP server and a compliance / deliverability team.
I’ll give the folks creating these programs credit. They identified that the marketers want a way to send mail to purchased lists. But ESPs with good deliverability and reputations don’t allow purchased lists. ESPs that do allow purchased lists often have horrible delivery problems. Enter the spam enabling programs.
From the outside, the folks creating these programs have a design goal to permit spam without the negatives. What do I mean? I mean that the program feature set creates an environment where users can send spam without affect the rest of their mail.
The primary way the software prevents spam blocking is using  Google, Amazon or Office 365 as their outbound mail server. Let’s be frank, these systems carry enough real mail, they’re unlikely to be widely blocked. These ISPs are also not geared up to deal with compliance the same way ESPs or consumer providers are.
There seem to be more and more of these companies around. I first learned of them when I started getting a lot of spam from vaguely legitimate companies through google mail servers. Some of them were even kind enough to inform me they were using Gmail as their marketing strategy.

I didn’t realize quite how big this space was, though. And it does seem to be getting even bigger.
Then a vendor in the space reached out looking for delivery help for them and their customers. Seems they were having some challenges getting mail into some ISPs. I told them I couldn’t help. They did mention 3 or 4 names of their competitors, to help me understand their business model.
Last week, one of the companies selling this sort of software asked me if I’d provide quotes for a blog article they were writing. This blog article was about various blocklists and how their software makes it such that their customers don’t really have to worry about blocking. According to the article, even domain based blocking isn’t an issue because they recommend using a domain completely separate from their actual domain. I declined to participate. I did spend a little time on their website just to see what they were doing.
This morning a vendor in the space joined one of the email slack channels I participate in asking for feedback on their software. Again, they provide software so companies can send spam through google outbound IPs. Discussions with the vendor made it clear that they take zero responsibility for how their software is used.
I don’t actually expect that even naming and shaming these companies facilitating spam will do anything to change their minds. They don’t care about the email ecosystem or how annoying their customers are. About the best they could do is accept opt-out requests from those of us who really don’t want to be bothered by their customers. Even that won’t really help, even domain based opt-outs are ineffective.
What needs to happen is companies like Google, Amazon and Microsoft need to step up and enforce their anti-spam policies.

Gmail: You agree not to, and not to allow third parties or Your End Users, to use the Services: to generate or facilitate unsolicited bulk commercial email;

Office 365: When using Microsoft Online Services, you may not:  […] Use the Services to transmit, distribute, or deliver any unsolicited bulk or unsolicited commercial e-mail (i.e., spam)

Amazon: You will not distribute, publish, send, or facilitate the sending of unsolicited mass e-mail or other messages, promotions, advertising, or solicitations (like “spam”), including commercial advertising and informational announcements. You will not alter or obscure mail headers or assume a sender’s identity without the sender’s explicit permission. You will not collect replies to messages sent from another internet service provider if those messages violate this Policy or the acceptable use policy of that provider.

Ideally, the folks providing these services will have all the tools regular ESPs do. I’m sure many of them do have a subset of those tools. But whether or not these issues are big enough to notice or deal with – as opposed to the other outbound issues they have to deal with – remains to be seen.
Of course, if the issues are big enough, the ISPs will take action and quickly. For instance, last week a poster on mailop pointed out Microsoft was the #1 spam ISP on Spamhaus’ list. A MS rep on the list responded and said they were notifying the appropriate people. This morning when I looked in preparation for this post, Microsoft was #1. When I just went to go get a screenshot, Microsoft wasn’t on the list any longer.
I know many people in the anti-abuse space are working on messaging abuse of the future. Calendar invites are one of the emerging issues. I just hope they don’t forget to address this B2B spam that goes out of its way to hide from current anti-spam services and technology.

Related Posts

Time to step up

Neil Schwartzman reacts to yesterday’s link post.

Read More

Parasites hurt email marketing

As a small business owner I am a ripe target for many companies. They buy my address from some lead generation firm, or they scrape it off LinkedIn, and they send me a message that pretends to be personalized but isn’t really.
“I looked at your website… we have a list of email addresses to sell you.”
“We offer cold calling services… can I set up a call with you?”
“I have scheduled a meeting tomorrow so I can tell you about our product that will solve all your technical issues and is also a floor wax.”
None of these emails are anything more than spam. They’re fake personalized. There’s no permission. On a good day they’ll have an opt out link. On a normal day they might include an actual name.
These are messages coming to an email address I’ve spent years trying to protect from getting onto mailing lists. I don’t do fishbowls, I’m careful about who I give my card to, I never use it to sign up for anything. And, still, that has all been for naught.
I don’t really blame the senders, I mean I do, they’re the ones that bought my address and then invested in business automation software that sends me regular emails trying to get me to give them a phone number. Or a contact for “the right person at your business to talk to about this great offer that will change your business.”
The real blame lies with the people who pretend that B2B spam is somehow not spam. Who have pivoted their businesses from selling consumer lists to business lists because permission doesn’t matter when it comes to businesses. The real blame lies with companies who sell “marketing automation software” that plugs into their Google Apps account and hijacks their reputation to get to the inbox. The real blame lies with list cleansing companies who sell list buyers a cleansing service that only hides the evidence of spamming.
There are so many parasites in the email space. They take time, energy and resources from large and small businesses, offering them services that seem good, but really are worthless.
The biologically interesting thing about parasites, though, is that they do better if they don’t overwhelm the host system. They have to stay small. They have to stay hidden. They have to not cause too much harm, otherwise the host system will fight back.
Email fights back too. Parasites will find it harder and harder to get mail delivered in any volume as the host system adapts to them. Already if I look in my junk folder, my filters are correctly flagging these messages as spam. And my filters see a very small portion of mail. Filtering companies and the business email hosting systems have a much broader view and much better defenses.
These emails annoy me, but I know that they are a short term problem.  As more and more businesses move to hosted services, like Google Apps and Office365 the permission rules are going to apply to business addresses as well as consumer addresses. The parasites selling products and services to small business owners can’t overwhelm email. The defenses will step in first.
 

Read More

Targeted marketing done badly

There was quite a bit of content I cut out on my rant about parasites in the email ecosystem earlier this week. I had whole section on people who ask to connect on LinkedIn and then immediately send a pitch or scrape your address and add it to their marketing automation software and start spamming. Generally, the only reason I will drop someone off LinkedIn is because they do this.
envelopes
Today, one of the deliverability mailing lists has been hopping over spam many folks in the industry received. The discussion started off simple enough, someone said “Is <companyname> spamming the industry?” People immediately chimed in that yeah, it did appear so.
A few people said they’d gotten the message and thought it was personal and were disappointed it wasn’t. Others weren’t sure why they were chosen to receive this message, or why some of their co-workers were chosen. A few of us didn’t get them. I didn’t.
This is a great example of marketing that was reasonably well planned, but a total fail for not knowing their audience. The product in question is an anti-abuse product. The company wants to reach people in the anti-abuse industry. They go off and find people in the anti-abuse industry and send them an email. Mail that seems personalized. It was a perfectly reasonable email. It asked questions and did get some people to engage with it by replying. They even appear to have done A/B testing on subject lines.
All solid marketing decisions. All great things to do.
But, the anti-abuse community is small, particularly the ESP anti-abuse community. We talk on mailing lists, IRC, LinkedIn, Facebook and Slack – and those are just the places I’m connected to. I’m sure there are other meeting places. The fact is, we’re a community and we do interact. If you’re going to try and do something like this, you have to expect that we’re going to realize you’re spamming. And many of us have very low tolerance for this kind of stuff.
A few years ago I worked with some senders who acquired most of their email addresses from technical conferences. They had a lot of delivery problems because a lot of their audience were the people who wrote and maintained filters. Spam the person who writes a spam filter and you may find yourself locked out from all of those filter users. I finally realized I couldn’t help those clients. No amount of technical perfection, personalization, looking like one-to-one mail or magic address cleaning is going to make this audience want your mail.
Marketing starts at understanding your audience. Permission is one of the better ways to understand your audience. Marketing to the anti-abuse crowd is a challenge. I can’t see any place where unsolicited email successfully fits into that plan.

Read More