In my own work with clients, I usually start with making sure all the technical issues are correct. As almost all spam filtering is score based, and the minor scores given to things like broken authentication and header issues and formatting issues can make the difference between an email that lands in the inbox and one that doesn’t get delivered.

I don’t think I’m alone in this approach, as many of my clients come to me for help with their technical settings. In some cases, though, fixing the technical problems doesn’t fix the delivery issues. No matter how much my clients tweak their settings and attempt to avoid spamfilters by avoiding FREE!! in the subject line, or changing the background, they still can’t get mail in the inbox.

Why not? Because they’re sending mail that the recipients don’t really want, for whatever reason. There are so many ways a sender can collect an email address without actually collecting consent to send mail to that recipient. Many of the “list building” strategies mentioned by a number of experts involve getting a fig leaf of permission from recipients without actually having the recipient agree to receive mail.

Is there really any difference in permission between purchasing a list of “qualified leads” and automatically adding anyone who makes a purchase at a website to marketing lists? From the recipient’s perspective they’re still getting mail they don’t want, and all the technical perfection in the world can’t overcome the negative reputation associated with spamming.

The secret to inbox delivery: don’t send mail that looks like spam. That includes not sending mail to people who have not expressly consented to receive mail.

The gist of the story is that Mr. Luckman thinks that because it is legal to purchase lists and send mail that there is nothing anyone can do to stop him from doing so. Unfortunately for Mr. Luckman, this isn’t actually true. Simply complying with the law does not mean that spamming behaviour has to be tolerated by ISPs. What’s more, ISPs have a lot of power to stop him.

His recipients’ ISPs can stop him. Filtering companies can stop him. And his upstream can stop him. In fact, Mr. Luckman’s upstream is GoDaddy, a company that has an abuse desk that is one of the toughest on the Internet. They do not tolerate spamming at all and will disconnect customers that are spamming whether or not there is a SBL listing involved.

Sure, Mr. Luckman is complying, or says he’s complying, with CAN SPAM. But that doesn’t change the fact that he is violating his contract with GoDaddy. Given that admission, I am extremely surprised that the reporter focused so exclusively on Spamhaus’ role in this, without mentioning GoDaddy’s abuse enforcement or that Mr. Luckman has to comply with contracts he signed.

Most reputable marketers agree that sending mail to purchased email addresses is spam. Most recipients agree that mail they didn’t ask to receive is spam. Even the reporter agrees that Mr. Luckman is a spammer. Compliance with CAN SPAM doesn’t mean anyone is required to accept his mail, nor provide him with a connection to the rest of the internet.

This is a lesson Mr. Luckman is having problems learning. Instead of fixing his process so he isn’t sending spam, he contacts a reporter to plead his case in the court of public opinion. Sadly for him, most people hate spam and won’t defend a self admitted spammer against a blocking group. In fact, over 80% of the people who have voted in the “has Spamhaus gone too far” poll have said no. What’s your vote?

As a very simple example, someone may have a “real” email address provided by their ISP and a gmail address. If they only ever sign up for bulk email using their gmail account then they know that any bulk email they receive at their ISP email address is not mail they signed up for, and hence that it’s spam.

A more flexible way of having multiple email addresses is what’s known as “boxing” or “tagging” – being able to make up new variants of your email address on the fly. How that’s done varies depending on the mail system you use, but typically you’ll be able to add a string to the end of your email address, separated by a “+” or a “-”. For example, if my main email address is steve@blighty.com I can create a tagged address like steve-blogspam@blighty.com. They’ll both be delivered to my inbox by default, or I can use the tag to route the mail to another mailbox (either using the filtering rules in my mail client, or something like procmail or sieve running on the mailserver).

Because I’ve never sent mail from the email address steve-blogspam@blighty.com, nor given it to anyone, nor even mentioned it anywhere other than this blog post I know that any email I get to it was sent by a spammer who harvested it from this page or the blog rss feed. On the other end of the spectrum I have tagged email addresses that I’ve created specifically to give to one of our vendors, and so I know that if I see email sent to that tagged address it’s almost certainly mail from that vendor, and I should have it skip my spam filters and send it directly to my inbox or a mailbox specifically for mail from vendors.

I’ve talked previously about some of the implications of address tagging for ESPs, both for signup and list hygiene, and Laura has talked about tagged, disposable and temporary addresses from a recipient perspective. Today I’m going to touch on another aspect of them – they mean that if you harvest addresses, or purchase addresses, sooner or later you’re going to get caught.

Last month I got a mail from a senior account executive (aka “salesweasel”) at Cisco/WebEx:

Hello Steve,
I am the Cisco WebEx Solutions Specialist responsible for supporting your region.
Are you available this week or next for a brief discussion of your current business objectives?
I would like to share some creative ideas about how you can reduce expenses and increase productivity throughout your organization.
Please reply with the best time to reach you.
Best regards,

I don’t recall ever having any relationship with WebEx, and we swapped out all our Cisco networking gear quite some years ago. It could be that I gave them a business card at a trade show or somesuch, as I was vaguely looking at web conferencing providers a couple of years back – but it’s a bit odd that it doesn’t have my full name, nor does the salesweasel seem to know who my employer is. Sure enough, the mail wasn’t sent to either my personal or work addresses – it was sent to a tagged address. If that tagged address had been steve-webex or steve-cisco that would have told me that I probably had given it to them at some point in the distant past.

It wasn’t, though. Instead it was a tagged address that had only ever been used for one thing – it was used to register a domain that’s used primarily to host the CBL blacklist’s website. So WebEx or, more likely, the salesweasel is harvesting email addresses from whois in order to send spam to them, or is buying lists of addresses from someone who did. Given that they’d have to violate their agreement with the .org domain registry to do that, it’s clearly unethical business behaviour (and possibly even punishable by a fine or imprisonment of no more than one year).

I just caught a potential vendor playing fast and loose with privacy. At the very least, that makes it unlikely I’d use them unless I got a really good explanation as to how this happened, and how they’d prevent it happening in the future.

It’s bad marketing, and the more technically literate your target demographic is the more likely they are to catch this sort of behaviour, and the more they’ll hold it against you. If your company doesn’t have a policy against this sort of address acquisition, it’s a good time to think about one (“Don’t do that.”). And if you do have one, check that your salesweasels are aware of it, and that it applies to email addresses bought from jigsaw or appendleads or zoominfo or emailappenders just as much as it does to that CD of fifty million email addresses they bought from a guy in a bar.

List sellers are the internet version of used car salesmen. Everyone knows they are slimy sales guys who will do anything to close the sale. They don’t have a real web presence, just visit appendleads.com and see what I mean.

And yet, people still buy lists from them! I have no doubt that my spammer friend has a nice little business selling email addresses. He sends out spam, he gets a few responses, makes a tidy profit and then sends out another spam, hooks a few more people and makes more money.

OK, so not all list sellers are like appendleads. Some of them go so far to build a website. But at the core they’re the same. They are selling data that isn’t clean, it’s not opt-in, it’s not been verified.

This is why so many of us harp on not buying lists. The sales guys talk a great game, but they aren’t selling what purchasers think they’re getting. They also don’t care. They have no incentive to clean up their data. They have no incentive to accurately represent what they’re selling. All of the risk is on the person that sends the email. Once they have their money, the buyer is on their own.

Can you ever successfully purchase a list? I’m sure some senders have. But that experience is closer to winning more than a thousand dollars in the lottery than an actual good business decision.

As I often do, I plugged his phone number into google, only to discover that my blog post from March about this spammer was the 2nd hit for that number. Well, go me.

I can report nothing has changed. He’s still violating CAN SPAM. He’s still claiming I have no right to post, share, spindle, mutilate or fold his spam. Well, in the interest in something, I thought I’d share the whole post this time. Just to warn folks from attempting to purchase services from appendleads.com (nice website, by the way).

From: David Williams <davidw@appendleads.com>
Subject: Targeted Email Lists
Date: July 8, 2010 11:17:36 AM PDT
To: Me@client.example.com

Hi Laura,

Would you like to reach your specific target audience in a cost effective, hassle free way? Have you grown tired of dialing the phone only to get another voicemail, an aggressive gatekeeper or “can you call back in 10 minutes” only to find they’re gone for the day? We make it easy to reach your specific target audience, whether you need to reach sales and marketing executives, CEO’s, director’s of HR or anyone in between.

Also, we offer email append services. If you use an in-house database but it does not include emails or the emails are out of date, we will append the emails in less than 1 weeks time. Out of site is out of mind, never let your client’s lose sight of you. To know how it works we offer email append test at no cost, so send us 50 to 100 contacts with just contact & company names in a spread sheet and we will provide the emails within 24 hours.

Reach out to hundreds of thousands of contacts with our ready to use email list or we can custom build a list based on your specific requirements. Our lists include contact name, title and email address, plus company name, postal address, phone, fax, SIC code, NAICS, employees, revenue and more. Let me know your specific target audience and a few free samples will be sent for your review.

Our objective is to help you to reach your target audience more effectively and economically. Let me know if you or someone else in your organization is responsible for such a decision.Your time and effort in referring me to someone will be appreciated.

Warm Regards,

David Williams
Lead Generation Specialist
Phone: +1 800-961-5127
NOTE: If you feel you have received this message by accident, or if you want to be deleted from further communications from me, please reply in the subject remove or opt-out.

This communication (including any attachments) may contain legally privileged and confidential information and is intended for a specific individual and purpose. If you are not the intended recipient, disclosing, copying, distributing, or taking any action based on this message is strictly prohibited.

One of AARPs interactive advertising managers posted in response denying that it was anything to do with the AARP.

This isn’t from AARP…this is a SPAM that’s been going around for years now. Did you bother looking into the source code to see where it sends you? My guess is it aint AARP…Do you know what your talking about?

Yes, Scott, we do know what we’re talking about, and we did look into the source code.

Yesterday Laura discussed in general principles how mainstream companies typically send spam by hiring a company who hires a company who hires a company to send spam.

We’re fairly familiar with how this works – one of the things Word to the Wise does is to provide forensics and expert witness services in email-related cases – so we dug into this email so as to work out what the story behind it was.

The story, as far as we can tell at a quick look, is that the AARP hired a company called SureClick to generate “Qualified Leads”.

SureClick homepage

You can see that they’re fairly proud to have the AARP as a flagship client.

What do SureClick do for their flagship client? They pay affiliates to drive traffic to their AARP membership signup page. I’m not sure exactly how much they’re paying for each signup, but it must be more than $12 as that’s how much SureClick’s affiliates are, in turn, offering to pay their affilliates.

In the case of the spam sent to Laura the affiliate SureClick hired was OfferWeb. What do OfferWeb do? They pay affiliates to drive traffic to their landing page. Seeing a pattern yet?

OfferWeb then hired a hard core spammer to actually send the spam on AARPs behalf. This guy, apparently based in Utah but spamming from a machine hosted in Pennsylvania, is doing everything he can to avoid his spam being recognised and blocked, using dozens of domains and IP addresses and sending messages stuffed full of hashbusters that have hardly any text, just images, to try and hide from spam filters.

One irony is that the Pennsylvania ISP who is hosting the spammer is also the same ISP who host the email account the spam was sent to. Sometimes the best place to start cleaning up is close to home.

So the spammer sends out millions of pieces of email to addresses he’s harvested or bought, most of which is blocked or ends up in the junk folder. When someone responds he passes them on to OfferWeb, who pass them on to SureClick who sign them up for the AARP. Then the AARP pays SureClick, who keep some of the money and pay OfferWeb, who keep some of the money and give the rest to the spammer.

It’s the advertising budget at AARP, and hundreds of companies like them, that makes this sort of spamming worthwhile.

If you’re interested in where all this data came from, check back tomorrow.

What do I mean by that? I mean that the address collection practices and the mailing processes used by self-proclaimed legitimate email marketers are sloppy. They don’t really care about individual recipients, they just care about the numbers. They buy addresses, they use affiliates, they dip whole limbs in the co-reg pool; all told their subscription practices are very sloppy. Because they didn’t scrape or harvest the email address, they feel justified in claiming the recipient asked for it and that they are legitimate.

They don’t really care that they’re mailing people who don’t want their mail and really never asked to receive it. What kinds of practices am I talking about?

Buying co-reg lists. “But the customer signed up, made a purchase, took an online quiz and the privacy policy says their address can be shared.” The recipient doesn’t care that they agreed to have their email address handed out to all and sundry, they don’t want that mail.

Arguing with subscribers. “But all those people who labeled my mail as spam actually subscribed!!!” Any time a mailer has to argue with a subscriber about the validity of the subscription, there is a problem with the subscription process. If the sender and the receiver disagree on whether there was really an opt-in, the senders are rarely given the benefit of the doubt.

Using affiliates to hide their involvement in spam. A number of companies use advertising agencies that outsource acquisition mailings that end up being sent by spammers. These acquisition mailings are sent by the same spammers sending enlargement spam. The advertiser gets all the benefits of spam without any of the consequences.

Knowing that their signup forms are abused but failing to stop the abuse. A few years back I was talking with a large political mailer. They were insisting they were legitimate email marketers but were finding a lot of mail blocked. I mentioned that they were a large target for people forging addresses in their signup form. I explained that mailing people who never asked for mail was probably the source of their delivery problems. They admitted they were probably mailing people who never signed up, but weren’t going to do anything about it as it was good for their bottom line to have so many subscribers.

Self described legitimate email marketers do the bare minimum possible to meet standards. They talk the talk to convince their customers they’re legitimate:

• We’re CAN SPAM compliant!!!
• We run the tightest ship in the industry! the second somebody unsubscribes, they are OFF THE LIST!
• We have the highest delivery rate in the industry.
• All our lists are fully opt-in!!
• We have connections at all the major ISPs.

But they sure don’t walk the walk. And their talk doesn’t convince anyone else that they’re legitimate, not even the ISPs that block their mail. They don’t really understand email marketing and how different it is from other forms of direct marketing. They think that eyeballs and mailboxes are commodities and they can slap a thin veneer of permission on their practices and get a pass. That’s not how email works. Recipients have a lot more control over their inboxes than they do over their mail boxes or their telephones and what works in the other areas does not work in email marketing.

There are a lot of marketers that are doing things right. They are, in fact, legitimate email marketers. These genuinely legitimate email marketers don’t need to advertise themselves as legitimate. The receiving ISPs know the mail is legitimate because the enduser recipients are engaged and want the mail. Mail performance mostly stands on its own merits, no talking necessary.

Legally, they may be correct. But in practice senders cannot decide that they can sell the permission of their recipients to another entity. As Al said today, you cannot buy an existing business relationship. When commenting on that post over on twitter, Evan Burke had a series of very insightful tweets on the issue.

• Al’s spot on as usual… Despite what your fine print may say, recipients grant their consent to a *single company*.
• And consent, in the mind of the recipient, is often narrower still – commonly being given to just a single brand, or even a single product.
• Consent to receive email, as defined legally, is often substantially different than how your recipients would define it.
• (cont’d) And if your recipients don’t think they gave you consent, you’re going to run into filtering and blocking issues.

Evan is exactly right.

Coincidentally, I had a potential client call me this morning to discuss the delivery problems they were having with a list. At the end of the call he also mentioned that they had a list of 7 million addresses that had been sitting around and they wanted to incorporate it into their list. I was open minded about the chances to recover the list, until he dropped that the list was 10 years old. I have to admit, I probably was not the cheery, positive, put a friendly face for the potential client consultant in responding to that.

But, really, there’s no way someone who opted in 10 years ago is going to remember they opted in to receive mail from whatever list has been found.

One thing that senders, list sellers and lawyers have to remember is that recipients are the final arbiters of permission. They know what they agreed to and if they don’t think this list, or this brand, or this sender has permission they will respond with spam complaints. The result is decreasing reputation for the sender followed by increasing delivery problems. Just because the sender thinks they have permission doesn’t mean the recipients agree with them.

Mickey posted List Rental is…. In that post he looked at how email is different from direct mail and how the attitudes are different as well.

The folks at Bronto got into the spirit of the blog carnival and Kristin, Kelly and Chris all contributed to a single post offering their perspectives on trading lists, intrusive marketing and delivery.

Al Iverson has two posts on buying lists. One is an older post talking about the delivery hassles and problems related to purchased lists from the perspective of a ESP delivery expert. Over on his SpamResource blog, he posts about the same issue from the perspective of a recipient who is tired of receiving spam.

I also posted on the issue, looking at how email is not snail mail and senders cannot be successful in email by applying the direct mail rules.

Thanks to everyone who submitted posts.

[...] 788 of the addresses contained some combination or abbreviation of the words “customer service,” or “customer care.”

Also, 193 of the addresses were “accounting@,” 455 of the addresses were “admin@,” 84 of the addresses were “administration@” or “administrator@,” 223 of the addresses were “careers@,” 108 of the addresses were “comment@” or “comments@,” 297 of the addresses were “contact@,” 160 of the addresses were “service@,” 1,448 of the addresses were “sales@,” and a whopping 7,684 addresses were “info@.”

Many clients come to me wondering why they are having such difficulty mailing their ‘guaranteed double opt in list’ that they purchased through a vendor like Target Point. One quick look at the list shows addresses similar to the above. Role accounts are almost never found on opt-in lists (with some exceptions) and finding lots of “info@” or “administrator@” address is a good sign that there are problems with the seller.

The most important thing to remember is that just removing the obvious role accounts from the purchased list is not going to magically make the list OK. There are going to be problems with the other addresses on the list, too. Mailing them will cause you problems.

Yet another example of why mailing purchased lists is bad. Not only do they cause delivery problems, but sometimes you don’t even get what you pay for.