It was not Campaign Monitor I was talking about. In fact, the ESP I received the mail from is not on the first 8 pages of Google hits for the phrases I posted.

A similar thing happened when I posted about Dell spamming me. Dell has multiple ESPs, and one of their ESPs contacted me directly in case they were the ones Dell was spamming through. It was no surprise to me that they weren’t the ESP involved.

This is what good ESPs do. Good ESPs monitor their reputation and monitor what people are saying about them. Good ESPs notice when people claim they’re being spammed and effectively reach out to the complainers so they can investigate the claim.

Good ESPs don’t just rely on the complaint numbers to take action. They keep an eye out on social networks to see who might be receiving mail they never asked for.

Today’s email was from a company that has the following in their anti-spam policy:

To send email to anyone using [ESP name], you must have clearly obtained their permission. We consider qualifying methods for obtaining permission are as follows:

• An email newsletter subscription form on your web site.
• An opt-in checkbox within a form. This checkbox must not be checked by default, the person completing the form must willingly select the checkbox to indicate they want to hear from you.
• If someone completes an offline form like a survey or enters a competition, you can only contact them if it was explained to them that you would be contacting them by email AND they ticked a box indicating they would like you to contact them.
• Customers who have purchased from you within the last 2 years.
• If someone gives you their business card and you have explicitly asked for permission to add them to your list, you can contact them.

Apparently this only counts for customers, as I have never heard of this company before receiving the spam.

I’m sure they’ll argue it wasn’t spam, it was a holiday greeting, and in fact everything above the fold was wishing me a Happy Christmas. But, down at the bottom was a message.

PS: Still not sorted your customers Christmas cards out?

You could send every one of them a fun ecard in no time at all… just click here to contact [ESP] today.

I don’t know anyone at this ESP. They hit an address that was only ever published on a website and was removed from use more than 5 years ago. It was never entered into any forms. I have never purchased from them.

It’s so blatantly spam, couched in a “HOLIDAY GREETING!” It’s not the first one I’ve gotten. It’s not even the first one I’ve gotten this year.

EDIT: Make sure to read the followup

How can this ESP claim with a straight face that they expect customers to only send opt-in mail? How can they claim they force customers to follow good practices when they don’t? This message even violates CAN SPAM – failing to have a postal address included.

At least I know what to answer if any client ever asks me about this particular ESP and what I know about them. “Well, they are spammers themselves.”

Reading some of the articles on the case, though, I’m less worried. This isn’t a blogger making some statements. Instead, Ms. Cox acted more like a stalker and harasser than a reporter. The judge even concluded that had she been granted protection as a journalist it was unlikely she could prevail as there was little factual basis for her statements.

Others have done better summaries of the case and the effect and I encourage everyone to read them.

Seattle Weekly
New York Times
Ars Technica
Forbes

I also discourage folks from applying this ruling to all bloggers. It’s not clear she was doing anything journalistic. I did find it interesting that some of her techniques to ruin the lawyer’s search results were defined as Search Engine Optimization. I’ve long thought SEO was akin to spam: say something often enough in enough places and you start to dominate the conversation. Not because you have anything useful to say, but because no one can get an idea in otherwise.

Generally IPs that the ISP has not seen traffic from before starts out with a slight negative reputation. If you think about all the new IPs that an ISP will see mail from on a daily basis, 99 out of 100 of those will be bot infected windows boxes. So they’re going to treat that mail very suspiciously. And, in the grand scheme of things, that mail is going to be spam a lot more than it’s not going to be spam.

Some ISPs put mail in the inbox and bulk foldering during the whitelisting process. Basically they’re looking to see if your recipients care enough about your mail to look for it in the bulk folder. This then feeds back to create the reputation of the IP address. There is another fairly major ISP that told me that when they’re seeing erratic data for an particular sender they will put some mail in bulk and some mail in the inbox and let the recipients tell the system which is more correct.

That’s what happens while you’re establishing a reputation on an IP. Once there is some history on the IP, things get a little different. At that point, IP reputation becomes unimportant in terms of bulk foldering. The ISP knows an IP has a certain level of reputation, and *all* their mail has that level of reputation. So bulk foldering is more related to content and reputation of the domains and URLs in the message.

The other reason IP reputation isn’t trumping domain / content reputation as much as it did in the past is that spammers stomped all over that. Affiliates, snowshoers, botnets, all those methods of sending spam made IP reputation less important and the ISPs had to find new ways to determine spam / not spam.

So if you’re seeing a lot of bulk foldering of mail, it’s unlikely there’s anything IP reputation based to do. Instead of worrying about IP reputation, focus instead on the content of the mail and see what you may need to do to improve the reputation of the domains and URLs (or landing pages) in the emails. While the content may not appear that different, the mere mention of “domain.com” where domain.com is seen in a lot of spam can trigger bulking.

Spam is illegal and Spammers are criminal. Let’s not mess about with words here. Calling someone a spammer is inflamitory [sic].

I’m not arguing that sending unsolicited bulk email is anything other than bad. And that a lot of senders have a negative reaction to being called spammers. I’ve even had hate mail for saying that an ISP was blocking mail because recipients were saying the mail was spam.

In the US, though, spam is not illegal. Violating CAN SPAM is illegal and may result in civil or criminal penalties. Sending mail to recipients that never gave permission? Not illegal.

Is there a lot of spam out there that violates CAN SPAM? Absolutely. But that’s not the sum total of email. In fact, that’s very little of the email that recipients actually see. ISPs and filtering companies do a pretty good job at filtering out most of the illegal stuff.

There is a lot of social pressure to not be perceived as a spammer. There is much social pressure to not send mail people like.

And, yes, there are countries where it is illegal to send mail without opt-in permission. Ironically, one of those countries is the UK. Marketers in the UK have 3 or 4 of my email addresses and frequently send me unsolicited email, in violation of their laws. I’ve even blogged about some of it.

If people are using legitimate email addresses that legitimately opted in and verified details, they should be required to have a log of which lists they opted in to. You are just asking to hurt legit mailers.

The underlying reasoning appears to be that no sender ever spams, and every recipient or spamtrap owner is just too dumb to remember what they signed up for. If the recipient maintains a list of where they sign up, then spam will be a solved problem.

This is not only an unpersuasive line of argument, it’s also pretending that mailboxes are full of opt-in mail that the recipient just forgot about signing up for.

I do keep track of where I sign up for things. This doesn’t actually help when I get spam. For instance, I know that the address ticketmaster keeps spamming for raves in London was never used to sigh up for anything. Yet ticketmaster keeps telling me it was. They, of course, can’t tell me when or from where, so I treat the mail as spam.

I know that another address did sign up at a client’s site in 2007 as part of an audit I was doing for them. In 2010 that address was leaked to (or stolen by) a bunch of affiliate spammers. In the last 18 months I’ve gotten over 19,000 offers to the address, none of which are related to the original signup. Many of those offers are from real brands, including some that have hired me to investigate their affiliate programs and larger delivery problems.

I know another address was used during correspondence with a vendor discussing payment terms. That address was never given to them to add to a newsletter. They mailed me anyway. I knew that the mail was spam.

Knowing what you signed up for and having a log of what you opted in to doesn’t do anything to stop a sender from sending spam. It also doesn’t help legitimate mailers who may end up with spamtraps on their list. In all of the above situations my knowing where the address was given doesn’t help me or the sender identify what part of their signup process is broken.

If, however, senders had a real audit trail for addresses, they could identify what import brought my address into their list. They could track the dodgy vendor that is selling them bad lists. They can identify the problematic import that brought employee address books into the newsletter database. They could identify what idiot used my email address to buy tickets in London.

If the senders knew what was broken, they could fix the problem and have more deliverable and more responsive mailing lists. Without an audit trail, however, they’re stuck with a bunch of addresses of unknown provenance.

1. I get 15 copies. There are a lot of spammers out there who buy and scrape addresses and don’t do even the simplest of de-duping. Send multiple copies to a single address, you’re probably spamming.
2. I get mail to a non-tagged address. I use tags for every signup, and have done since mid-1999 or so. If I get commercial email to a non-tagged address, I know it’s spam.
3. I get to a tagged address from someone it wasn’t given to. As above, the tags remind me who was given my email address. If mail comes into a tagged address and it wasn’t given to the sender, then I know the mail is spam.
4. I get mail to a poorly harvested address. Another subset of the tagged addresses, there are a couple badly written web harvesters out there which add random characters onto the end of my tags. So I get mail to -infon@ and -infonn@ and -infonnn@ addresses, and I know the sender is spamming.
5. Someone attempts to send mail to an address that never existed at my domain. Even better, I don’t have to receive the mail for this one. If you attempt to send mail to a non-existent user here, I know without even looking that the mail was not asked for.

Am I wrong?

This mail finally hit my annoyance threshold, so I’ve been submitting reports and complaints to the senders the last few weeks. The mail, with full headers, goes with an explanation that the address that received it was harvested off a website more than 5 years ago and never opted in to receive any mail.

One of the ISPs I sent the report to has a web form where the complainant and the customer can see the report and both can comment on it. The customer replied to my complaint on it.

Email compliant with best practice, lazy user. Have clicked the unsubscribe link for them

As you can imagine this annoyed me. I mean, I’m really happy they’re going to stop sending me spam advertising clubs a 12 hour plane flight away, but they could do that without claiming that I was a lazy user.

I replied to the complaint.

Despite what your customer says I am not a “lazy user.” The email was sent to an address harvested off a website more than 5 years ago. I never signed up for it, I never asked for it.

Your customer is a spammer.

To the ISP’s credit, they did take the complaint a lot more seriously than their customer.

Network access to server has been suspended

Boy, did that change the customer’s tune.

I will speak again to my customer and seek clarification from them as to the source of my email. My comment was in relation to email content such as headers and unsubscribe details

While I know it’s tempting to treat every complaint as a “lazy user” who just won’t unsubscribe, it can be a very bad idea. It’s not that I’m too lazy to hit the unsubscribe button, it’s that the sender is clearly a spammer, either buying or harvesting address lists. Why should I trust that spammer to actually honor an unsubscribe? I don’t. Thus, I send in a complaint.

Return-Path:
Received: by m.wordtothewise.com (Postfix, from userid 1003)
  id 166562E196; Wed,  5 Oct 2011 13:50:25 -0700 (PDT)
Received: from [164.193.177.203] (86.sub-75-248-121.myvzw.com
  [75.248.121.86]) by m.wordtothewise.com (Postfix) with SMTP id
  850862E185 for <MUNGED>; Wed,  5 Oct 2011 13:50:23 -0700 (PDT)
Received: from [164.193.177.203][127.0.0.1] by [164.193.177.203]
  [127.0.0.1] (SMTPD32); Wed, 5 Oct 2011 13:49:44 -0700
  Message-ID: <275a6de8fff734e0abd353db00143bb7@g2gm.com>
From: "Ashley Anderson"
To: <MUNGE>
Subject: Do You Want Access to NEW Customers?
Date: Wed, 5 Oct 2011 13:49:42 -0700
MIME-Version: 1.0
Content-Type: text/plain;
charset="windows-1252"
Content-Transfer-Encoding: quoted-printable

Hello,

Does you company need access to fresh databases that can be used
for E-mail Marketing, Direct Mail & Telemarketing?

We have access to 200 Million Consumers & 45 Million
Businesses.=09

Some of our most popular lists are:

> U.S. Realtors - 1,281,916 Full Records=09
> U.S. Lawyers - 269,787 Full Records=09
> U.S. Financial Planners - 265,425 Full Records=09
> U.S. Businesses - 4.8 Million Full Records=09
> U.S. Manufacturers - 1,057,119 Full Records=09
> U.S. Homeowners - 1,326,620 Full Records=09
> U.S. Physicians - 741,809 Full Records=09
> Worldwide Investors - 8,562,140 Emails Only=09

*Much More Available Upon Request=2E
Call us to get a FREE quote!

Thank You,
Ashley Anderson
Data Specialist
Business Networking Services
1 (800) 841-5070

I’m counting at 4 violations, plus aggravated damages because the address was harvested.

How many violations can you find?

Would you trust this company to sell you actual opt-in addresses?