1. I get 15 copies. There are a lot of spammers out there who buy and scrape addresses and don’t do even the simplest of de-duping. Send multiple copies to a single address, you’re probably spamming.
2. I get mail to a non-tagged address. I use tags for every signup, and have done since mid-1999 or so. If I get commercial email to a non-tagged address, I know it’s spam.
3. I get to a tagged address from someone it wasn’t given to. As above, the tags remind me who was given my email address. If mail comes into a tagged address and it wasn’t given to the sender, then I know the mail is spam.
4. I get mail to a poorly harvested address. Another subset of the tagged addresses, there are a couple badly written web harvesters out there which add random characters onto the end of my tags. So I get mail to -infon@ and -infonn@ and -infonnn@ addresses, and I know the sender is spamming.
5. Someone attempts to send mail to an address that never existed at my domain. Even better, I don’t have to receive the mail for this one. If you attempt to send mail to a non-existent user here, I know without even looking that the mail was not asked for.

Am I wrong?

As a very simple example, someone may have a “real” email address provided by their ISP and a gmail address. If they only ever sign up for bulk email using their gmail account then they know that any bulk email they receive at their ISP email address is not mail they signed up for, and hence that it’s spam.

A more flexible way of having multiple email addresses is what’s known as “boxing” or “tagging” – being able to make up new variants of your email address on the fly. How that’s done varies depending on the mail system you use, but typically you’ll be able to add a string to the end of your email address, separated by a “+” or a “-”. For example, if my main email address is steve@blighty.com I can create a tagged address like steve-blogspam@blighty.com. They’ll both be delivered to my inbox by default, or I can use the tag to route the mail to another mailbox (either using the filtering rules in my mail client, or something like procmail or sieve running on the mailserver).

Because I’ve never sent mail from the email address steve-blogspam@blighty.com, nor given it to anyone, nor even mentioned it anywhere other than this blog post I know that any email I get to it was sent by a spammer who harvested it from this page or the blog rss feed. On the other end of the spectrum I have tagged email addresses that I’ve created specifically to give to one of our vendors, and so I know that if I see email sent to that tagged address it’s almost certainly mail from that vendor, and I should have it skip my spam filters and send it directly to my inbox or a mailbox specifically for mail from vendors.

I’ve talked previously about some of the implications of address tagging for ESPs, both for signup and list hygiene, and Laura has talked about tagged, disposable and temporary addresses from a recipient perspective. Today I’m going to touch on another aspect of them – they mean that if you harvest addresses, or purchase addresses, sooner or later you’re going to get caught.

Last month I got a mail from a senior account executive (aka “salesweasel”) at Cisco/WebEx:

Hello Steve,
I am the Cisco WebEx Solutions Specialist responsible for supporting your region.
Are you available this week or next for a brief discussion of your current business objectives?
I would like to share some creative ideas about how you can reduce expenses and increase productivity throughout your organization.
Please reply with the best time to reach you.
Best regards,

I don’t recall ever having any relationship with WebEx, and we swapped out all our Cisco networking gear quite some years ago. It could be that I gave them a business card at a trade show or somesuch, as I was vaguely looking at web conferencing providers a couple of years back – but it’s a bit odd that it doesn’t have my full name, nor does the salesweasel seem to know who my employer is. Sure enough, the mail wasn’t sent to either my personal or work addresses – it was sent to a tagged address. If that tagged address had been steve-webex or steve-cisco that would have told me that I probably had given it to them at some point in the distant past.

It wasn’t, though. Instead it was a tagged address that had only ever been used for one thing – it was used to register a domain that’s used primarily to host the CBL blacklist’s website. So WebEx or, more likely, the salesweasel is harvesting email addresses from whois in order to send spam to them, or is buying lists of addresses from someone who did. Given that they’d have to violate their agreement with the .org domain registry to do that, it’s clearly unethical business behaviour (and possibly even punishable by a fine or imprisonment of no more than one year).

I just caught a potential vendor playing fast and loose with privacy. At the very least, that makes it unlikely I’d use them unless I got a really good explanation as to how this happened, and how they’d prevent it happening in the future.

It’s bad marketing, and the more technically literate your target demographic is the more likely they are to catch this sort of behaviour, and the more they’ll hold it against you. If your company doesn’t have a policy against this sort of address acquisition, it’s a good time to think about one (“Don’t do that.”). And if you do have one, check that your salesweasels are aware of it, and that it applies to email addresses bought from jigsaw or appendleads or zoominfo or emailappenders just as much as it does to that CD of fifty million email addresses they bought from a guy in a bar.

They mailed me maybe a dozen times over the course of a month and then the mail stopped.

Until today.

Today I got two messages from tagged.com, one from Sophia C (33) and one from Melinda E (27). The messages are identical except for the names and some of the advertising on the bottom.

I find it a bit coincidental that after all the recent news about Tagged that I start getting mail from them again. Mail that is not from anyone I know. Mail attempting to entice me into logging back into the tagged site.

Are these emails from different people?

What do you think?

On the good side, Tagged.com won a judgment against a spammer sending spam to Tagged.com users. (Tagged has a post on their blog about the win, but the direct link to that article doesn’t work).

On the minus side, yet another ruling against tagged.com. They’ve been accused of sending spam, including some mail that looks like a phish. They recently settled in a CA court, agreeing to dispose of certain addresses collected during a 3 month period in 2009.

Tagged promised that it will destroy address book information that was scraped from users who joined the site between April and June, if those users either didn’t send any invitations to their contacts or invited all of their contacts to join the site. The company did not admit wrongdoing as part of the settlement.

Their victory against the spammer might be more compelling if they, themselves, were not repeatedly ending up at the defense table for customer unfriendly practices.