That's not how you do it…

Got an email this morning from a company advertising their newest webinar “The Two Pillars of Effective Large-Scale Email: Security and Deliverability.” The message came to a tagged address, so clearly I’d given them one at some point. But I didn’t recognize the name or company or anything. I did a search to seen when I may have interacted with this company in the past.

Looking through my old emails, it appears I contacted this company through their support form back in 2007. They were blocking a client’s newsletter. This is what I sent:

One of my clients has asked me to talk with you about your blocking schemes. They’re rather confused as their mail to a customer (one-to-one mail, not bulk) is ending up in the junk/spam folder. They’re not sure what they’re doing to get filtered.
Is there someone who can talk to me about your filtering schemes so I can explain to your mutual customer what is happening?

The response was pretty unhelpful.

I see that the email address insight@ESP is already in Michael’s allow list in his Email Defense filter settings — was this a recent addition? This should let any emails sent from that address through without being filtered first. Another suggestion would be to add the source IP address itself to his allow list if emails are still being caught. Let us know if this alleviates the situation.

That’s the last I heard from said company until this morning, when they sent me an ad.

A common question we’re asked is “How can I safely and securely utilize large-scale/mass emailing to communicate?”
Whether you’re sending newsletters, announcements, notifications, even sensitive or private information, there are two pillars you must have in place to ensure your communications are sent securely AND are delivered without being classified as spam.

One way to prevent communications from being classified as spam is to not grab addresses from a decade ago out of your support queue and use them for marketing out of the blue. Also, I’m much more likely to trust your opinion on delivery if you follow CAN SPAM. I mean, it’s nice you sent me a picture of the nice lady who sent the spam, but you forgot to put a postal address on the email.
Interestingly enough, the company actually has a pretty effective sounding AUP for their customers. They prohibit, among other things:

  • Automatically opting visitors or purchasers into their subscriber list. This includes “pre-checking” an opt in box on forms.
  • Automatically adding subscribers on one mailing list to unrelated mailing lists
  • Sending emails to subscribers that are unrelated to the purpose to which they opted in
  • Adding people to the mailing list without their permission
  • Sending messages to people who have requested to be removed from the mailing list
  • Using old lists without checking with the subscribers that their addresses are still valid and that they still wish to be subscribed.

Too bad they don’t apply their AUP to their own email program.

Related Posts

The cycle goes on

Monday I published a blog post about the ongoing B2B spam and how annoying it is. I get so many of these they’re becoming an actual problem. 3, 4, 5 a day. And then there’s the ongoing “drip” messages at 4, 6, 8, 12 days. It is getting out of control. It’s spam. It’s annoying. And most of it’s breaking the law.
But, I can also use it as blog (and twitter!) fodder.

Read More

TWSD: Lying and Hiding

Another installment in my ongoing series: That’s What Spammers Do. In today’s installment we take a look at a company deceiving recipients and hiding their real identity.
One of my disposable addresses has been getting heavily spammed from mylife.com. The subject lines are not just deceptive, they are provably lies. The mail is coming from random domains like urlprotect.com or choosefrequency.com or winnernotice.com advertising links at safetyurl.com or childsafeblogging.com or usakidprotect.com.
The spam all claims someone is “searching for…” at their website. The only thing is, the email address is associated with a fake name I gave while testing a website on behalf of a client. I know what website received the data and I know what other data was provided during the signup process. I also know that the privacy policy at the time said that my data would not be shared and that only the company I gave the information to would be sending me email.
Just more proof that privacy policies aren’t worth the paper they’re written on. But that’s not my real issue here.
The real issue is that I am receiving mail that is clearly deceptive. The subject lines of the emails up until yesterday were “(1) New Message – Someone Searching for You, Find Out…” Yesterday, I actually clicked through one of the messages to confirm that the emails were ending up at mylife.com. After that, the subject lines of the emails changed to “(1) New Person is Searching for You.”  I don’t know for sure that my click has caused the change in subject lines, but the timing seems a bit coincidental.
It’s not that someone, somewhere gave mylife.com bad data, or that someone typed a name into the mylife.com search engine and the mylife.com database showed that name and my email address were the same. Neither this name or this email address show up in a google search and I can say with certainty that this is a unique address and name combination given to a specific website. Therefore, the subject lines are clearly and demonstrably lies.
The spams are also coming from different domains and advertising links in different domains. The content is identical, the CAN SPAM addresses are identical. While the court may not rule this is deceptive under the rules of CAN SPAM, it certainly is an attempt to avoid domain level spam filters.
Who are mylife.com? Well, their website and the CAN SPAM address on their spam claims they are the company formerly known as reunion.com. I’ve talked about reunion.com here before. They have a history of harvesting addresses from users address books. They were sued for deceptive email practices under California law, but won the case just recently. They seem to think that the court case was permission to send deceptive email and have thus ramped up their deceptive practices.
If you are a legitimate email marketer, there are a couple take home messages here.
1) Spammers send mail with different domains, from different IP addresses, that contain identical content, landing pages and CAN SPAM addresses. Legitimate marketers should not rotate content and sends through different domains or different IP addresses. Pick your domain, pick your IP and stick with it.
1a) Spammers use randomly chosen domain names and cycle through domains frequently. Legitimate marketers must not use unrelated domains in marketing. Use a domain name that relates to your product, your industry or you.
2) Spammers send mail with deceptive subject lines. Legitimate marketers should make sure their subject lines are clear and truthful.
3) Spammers send mail in violation of the privacy policy under which information was collected. Legitimate marketers should be very careful to handle data in accordance with their privacy policies.
That’s what spammers do. Is that what you do?

Read More

TWSD: breaking the law

I tell my clients that they should comply with CAN SPAM (physical postal address and unsubscribe option) even if the mail they are sending is technically exempt. The bar for legality is so low, there is no reason not to.
Sure, there is a lot of spam out there that does not comply with CAN SPAM. Everything you see from botnets and proxies is in violation, although many of those mails do actually meet the postal address and unsubscribe requirements.
One of my spams recently caught my eye today with their disclaimer on the bottom: “This email message is CAN SPAM ACT of 2003 Compliant.” The really funny bit is that it does not actually comply with the law. Even better, the address it was sent to is not published anywhere, so the company could also be nailed for a dictionary attack and face enhanced penalties.
It reminds me of the old spams that claimed they complied with S.1618.

Read More