Well, that got someone’s attention. The person managing their twitter account tweeted at me with an email address and a suggestion to send him my address so he could take care of it. I sent the mail as asked and even got a reply.

Unfortunately, the reply was “I clicked the unsubscribe link at the bottom of the message for you.”

I dunno, maybe his mouse is a magic mouse and, somehow, the click from that magic mouse will be more effective than a click from my not-magic mouse. I’m not holding out much hope, though. I have no doubt that my sales address will keep getting invited to raves in London long after I retire.

Today’s email was from a company that has the following in their anti-spam policy:

To send email to anyone using [ESP name], you must have clearly obtained their permission. We consider qualifying methods for obtaining permission are as follows:

• An email newsletter subscription form on your web site.
• An opt-in checkbox within a form. This checkbox must not be checked by default, the person completing the form must willingly select the checkbox to indicate they want to hear from you.
• If someone completes an offline form like a survey or enters a competition, you can only contact them if it was explained to them that you would be contacting them by email AND they ticked a box indicating they would like you to contact them.
• Customers who have purchased from you within the last 2 years.
• If someone gives you their business card and you have explicitly asked for permission to add them to your list, you can contact them.

Apparently this only counts for customers, as I have never heard of this company before receiving the spam.

I’m sure they’ll argue it wasn’t spam, it was a holiday greeting, and in fact everything above the fold was wishing me a Happy Christmas. But, down at the bottom was a message.

PS: Still not sorted your customers Christmas cards out?

You could send every one of them a fun ecard in no time at all… just click here to contact [ESP] today.

I don’t know anyone at this ESP. They hit an address that was only ever published on a website and was removed from use more than 5 years ago. It was never entered into any forms. I have never purchased from them.

It’s so blatantly spam, couched in a “HOLIDAY GREETING!” It’s not the first one I’ve gotten. It’s not even the first one I’ve gotten this year.

EDIT: Make sure to read the followup

How can this ESP claim with a straight face that they expect customers to only send opt-in mail? How can they claim they force customers to follow good practices when they don’t? This message even violates CAN SPAM – failing to have a postal address included.

At least I know what to answer if any client ever asks me about this particular ESP and what I know about them. “Well, they are spammers themselves.”

Another one should be “How does what you’re doing look to a typical recipient?”.

I’ve received several pieces of spam recently from senders who were ticking quite a lot of the “email best practices” checkboxes, but who completely blew it by not looking at it from the recipients point of view. The mistakes they’ve made, and the things to learn from them, and much the same, so I’ll just give one example.

“Likes Music” is not the same as “Likes Groupon Clones”

I’ve been a subscriber to our local radio station’s mailing list for years – promos KFOG is running, local gigs, that sort of thing, all in a newsletter sort of format. They recently sent out an ad for a Groupon clone called “SweetJack” – on it’s own, not as part of a newsletter. I’m not interested, and I think it’s a fairly poor pitch and won’t work well for their demographic, but fair enough. A couple of weeks later I start getting spam from SweetJack, thanking me for signing up – to the tagged email address I’d only given to KFOG. And no mention of KFOG at all.

Most recipients are just going to see this as spam out of the blue from SweetJack, and hammer on the “This is Spam” button until it goes away. That’s dreadful for SweetJack’s reputation, and is going to hurt their delivery.

Recipients paying more attention are going to notice that the first they heard of SweetJack was an out of the ordinary promo by KFOG, and then they start getting spam from SweetJack. They’re likely to assume that KFOG sold their email addresses to SweetJack – and that they’re sending their spam to an email address that only KFOG has in my case confirms that. That’s going to be dreadful for SweetJack’s reputation and going to damage the relationship between KFOG and their existing subscribers. A dreadful idea.

Digging down deeper, it seems that while KFOG being bought out by media behemoth Cumulus Media a few years back didn’t damage their on-air content, it did change the amount of respect they have for their subscribers. SweetJack is a new Groupon clone started by Cumulus Media. They did have legitimate access to the KFOG mailing lists, sorta. It’s probably not an AUP or privacy violation. It’s just the sort of thing an eager marketing guy at the corporate owners would think was a great idea, to leverage the value of their existing subscribers.

But it would have been a pretty bad idea had they carried it out perfectly, with clear messaging and transparency to the recipients. And they blew their one opportunity to do it well, and I’m betting that most of the recipients have SweetJack categorized as “spammers”, both mentally and in their mail clients.

1. Not a real email marketing rule.

This mail finally hit my annoyance threshold, so I’ve been submitting reports and complaints to the senders the last few weeks. The mail, with full headers, goes with an explanation that the address that received it was harvested off a website more than 5 years ago and never opted in to receive any mail.

One of the ISPs I sent the report to has a web form where the complainant and the customer can see the report and both can comment on it. The customer replied to my complaint on it.

Email compliant with best practice, lazy user. Have clicked the unsubscribe link for them

As you can imagine this annoyed me. I mean, I’m really happy they’re going to stop sending me spam advertising clubs a 12 hour plane flight away, but they could do that without claiming that I was a lazy user.

I replied to the complaint.

Despite what your customer says I am not a “lazy user.” The email was sent to an address harvested off a website more than 5 years ago. I never signed up for it, I never asked for it.

Your customer is a spammer.

To the ISP’s credit, they did take the complaint a lot more seriously than their customer.

Network access to server has been suspended

Boy, did that change the customer’s tune.

I will speak again to my customer and seek clarification from them as to the source of my email. My comment was in relation to email content such as headers and unsubscribe details

While I know it’s tempting to treat every complaint as a “lazy user” who just won’t unsubscribe, it can be a very bad idea. It’s not that I’m too lazy to hit the unsubscribe button, it’s that the sender is clearly a spammer, either buying or harvesting address lists. Why should I trust that spammer to actually honor an unsubscribe? I don’t. Thus, I send in a complaint.

Ethix Marketing LLC
711 S. Carson Street Suite 4
Carson City, Nevada 89701

The kicker? They’re violating CAN SPAM while they’re doing it. Seriously, sending mail out through open relays and proxies with forged From: addresses is a violation of CAN SPAM. And they’re spamming for ambulance chasers.

Spammers, eh?

You are receiving this email because you have ordered from us, or emailed us in the past. We take your privacy seriously,and promise never to give your personal information to any other company.

Most people probably wouldn’t know that for the lie it is, as they don’t have special addresses on their websites. But in this case, I know it is a lie. I know I have never ordered from the Norman Rockwell Museum of Vermont. I know that laura-web is an address up on a website. It’s not used to send mail. It’s not used to purchase anything.

“You opted in to receive mail” is one of the oldest spammer lies out there. I always discourage clients from using wording like this. If the client doesn’t have enough information to fill in the blanks “you ordered from us in October” or “you signed up in June” then there isn’t really any reason to add it in. If the user doesn’t remember ordering from them, then they’re going to look like a spammer.

We own the site samspade.org. It’s down now, victim of a major hardware crash, but this was a site with a number of tools for tracking spammers. This morning, I got email about SamSpade.

My name is Tina from <some random gardening site>.

I am the SEO and marketing manager over here.

As you probably know, having backlinks from related sites helps increase your rankings in Google.

Well, I was just doing a search on Google.com for “Samspade” and your site popped up! This is you, right?

http://www.wordtothewise.com

Well, check it out…

Since we both target a similar audience, Google will give us BOTH extra love if we each place a simple link to one another.

Not a lot of work and plenty of benefit to both of us.

I know you probably get requests like this all the time, I know I sure do. So, to stand out, I went above and beyond by setting up a customized page telling my site visitors about your great site!

Poor Tina. Her SEO optimization software mistakenly keyed off of the “spade” in our domain name and decided that we sold weeding tools. Not so much. Of course, the company that “Tina” bought her software from is well versed in spamming, both SEO and email. The domains are all obfuscated behind whois protection. The domain the mail came from doesn’t exist. They’re using gmail as a contact address. They’re hosted on LiquidWeb.

Maybe it’s not poor Tina after all. Maybe this isn’t just some poor person trying to get a leg up. Maybe it really is just a major spammer looking to spam their new website. Poorly. And with no finesse.

I got email today to an old work email address of mine from Strongmail. To be fair it was a technically correct email. Everything one would expect from a company handling large volumes of emails.  It’s clear that time and energy was put into the technical setup of the send. If only they had put even half that effort into deciding who to send the email to. Sadly, they didn’t.

My first thought, upon receiving the mail, was that some new, eager employee bought a very old and crufty list somewhere. Because Strongmail has a reputation for being responsible mailers, I sent them a copy of the email to abuse@. I figured they’d want to know that they had a new sales / marketing person who was doing some bad stuff.

I know how frustrating handling abuse@ can be, so I try to be short and sweet in my complaints. For this one, I simply said, “Someone at Strongmail has appended, harvested or otherwise acquired an old email address of mine. This has been added to your mailing list and I’m now receiving spam from you. ”

They respond with an email that starts with:

“Thank you for your thoughtful response to our opt-in request. On occasion, we provide members of our database with the opportunity to opt-in to receive email marketing communications from us.”

Wait. What? Members of our database? How did this address get into your database?

“I can’t be sure from our records but it looks like someone from StrongMail reached out to you several years ago.  It’s helpful that you let us know to unsubscribe you.  Thank you again.”

There you have it. According to the person answering email at abuse@ Strongmail they sent me a message because they had sent mail to me in the past. Is that really what you did? Send mail to very old email addresses because someone, at some point in the past, sent mail to that address? And you don’t know when, don’t know where the address came from, don’t know how it was acquired, but decided to reach out to me?

How many bad practices can you mix into a single send, Strongmail? Sending mail to addresses where you don’t know how you got them? Sending mail to addresses that you got at least 6 years ago? Sending mail to addresses that were never opted-in to any of your mail? And when people point out, gently and subtly, that maybe this is a bad idea, you just add them to your global suppression list?

Oh. Wait. I know what you’re going to tell me. All of your bad practices don’t count because this was an ‘opt-in’ request. People who didn’t want the mail didn’t have to do anything, therefore there is no reason not to spam them! They ignore it and they are dropped from your list. Except it doesn’t work that way. Double opt-in requests to someone has asked to be subscribed or is an active customer or prospect is one thing. Requests sent to addresses of unknown provenance are still spam.

Just for the record, I have a good idea of where they got my address. Many years ago Strongmail approached Word to the Wise to explore a potential partnership. We would work with and through Strongmail to provide delivery consulting and best practices advice for their customers. As part of this process we did exchange business cards with a number of Strongmail employees. I suspect those cards were left in a desk when the employees moved on. Whoever got that desk, or cleaned it out, found  those cards and added them to the ‘member database.’

But wait! It gets even better. Strongmail was sending me this mail, so that they could get permission to send me email about Email and Social Media Marketing Best Practices. I’m almost tempted to sign up to provide me unending blog fodder for my new series entitled “Don’t do this!”

When we talk about sender behaviour we’ll often dive headfirst into the technical details of how that’s monitored and tracked – history of mail from the same IP address, SPF records, good reverse DNS, send rates and ramping, polite SMTP level behaviour, DKIM and domain-based reputation and so on. If all of those are OK and the mail still doesn’t get delivered then you might throw up your hands, fall back on “it’s content-based filtering” and not leave it at that.

There’s just as much detail and scope for diagnosis in content-based filtering, though, it’s just a bit more complex, so some delivery folks tend to gloss over it. If you’re sending mail that people want to receive, you’re sure you’re sending the mail technically correctly and you have a decent reputation as a sender then it’s time to look at the content.

You want your mail to look just like wanted mail from reputable, competent senders and to look different to unwanted mail, viruses, phishing emails, botnet spoor and so on. And not just to mechanical spam filters – if a postmaster looks at your email, you want it to look clean, honest and competently put together to them too.

Some of the distinctive content differences between wanted and unwanted email are due to the content as written by the sender, some of them are due to senders of unwanted email trying to hide their identity or their content, but many of them are due to the different quality software used to send each sort of mail. Mail clients used by individuals, and content composition software used by high quality ESPs tends to be well written and complies with both the email and MIME RFCs, and the unwritten best common practices for email composition. The software used by spammers, botnets, viruses and low quality ESPs tends not to do so well.

Here’s a (partial) list of some of the things to consider:

MIME Structure

Good email tends to be either plain text or a multipart mail consisting of two versions of the same message, one in HTML and one in plain text.

Bad email often doesn’t have the plain text part. Either it’s missing altogether, or it’s completely different (much shorter) content than the HTML part.

Text Encoding

Bad email often tries to hide it’s content from spam filters. One common way of doing this is to use base64 encoding for text where quoted-printable encoding would be appropriate.

Lazy software developers sometimes base64 encode everything, as it’s less work than deciding which encoding is appropriate for a message part. Doing that looks dishonest or incompetent to filters and postmasters.

Images

Another way bad email tries to hide it’s content is by misuse of images. The most obvious example of this is mail that consists of just a single huge image – sometimes that’s just because it’s easier for the graphic designer to do that way, but more often it’s a spammer trying to hide their content from filters. Either way, it’s much less likely to be delivered.

Including CAN-SPAM required boilerplate (such as the postal address) purely as an image is another thing that’s distinctive to bad email. Bad email hides the contact address in that way so as to avoid people being able to search based on it to track their behaviour across brands and shell companies, and to stop people using it to key targeted spam filters on. Good email doesn’t need to do that.

HTML Structure

If your email is completely unreadable with images not displayed, it’s not going to be a good marketing piece in the (common) case that images aren’t shown. Including appropriate ALT text for each image not only makes it look better to recipients when images are turned off, it also makes it look more legitimate to postmasters with ticketing systems that don’t display images, or only show the raw HTML. It sometimes makes spam filters happier too.

That’s just one example of sending “good” html.

Phishy URLs

Bad email sent by phishers often includes links that look like <a href=”http://phisher.ru/”>bank.com</a>, where the message is trying to look like legitimate email from bank.com, but it’s sending readers to phisher.ru instead. <a href=”http://bank.com.whatever.phisher.ru/”>bank.com</a> is an even more obvious attempt to defraud the recipient.

Otherwise good email sent by naive ESPs often includes links that look like <a href=”http://click.esp.com?trackdata=xxxx&target=bank.com/”>bank.com</a>. To a spam filter, that looks much the same as a typical phishing URL, and the delivery is not going to go well.

Bad Phrasing or Appearance

Even if 100% of your recipients desperately wait for every issue of your newsletter there are some phrases that will cause you more problems than others. “Looking spammy” is one of the worst things for your email if you need to discuss a delivery issue with a postmaster or a filter vendor – if it “looks like spam” they’re much less likely to believe it’s really wanted by recipients.

If your newsletter is about “Moustache Rides” (real example, I’m not making this up) then you might not be able to fix the phrasing, but you should try and make the rest of the newsletter look professionally put together, as much as you can anyway.

URL Reputation

If two emails received “look similar” and the recipient complained about the first one, it’s likely the second one will be unwanted too. But mechanically detecting similar content is complex and expensive to do, so a common trick is to “fingerprint” each email by looking for distinctive features in it, and considering messages that share a fingerprint to be similar.

One of the simpler fingerprints to use is the URLs used in links in the mail, more specifically the hostnames of the links. If someone is sending bad email and you send email using the same URLs or hostnames, it’s likely to be treated poorly.

Fiddly Trivia

There are lots of other fiddly little things that spam filters key on too. You shouldn’t obsess about them too much, but it’s worth being aware of the sort of things that can make a difference. SpamAssassin publish some of the rules they use. If you look at the rules, look at the scores too – a rule with a score of 0.001 isn’t very relevant.

As a very simple example, someone may have a “real” email address provided by their ISP and a gmail address. If they only ever sign up for bulk email using their gmail account then they know that any bulk email they receive at their ISP email address is not mail they signed up for, and hence that it’s spam.

A more flexible way of having multiple email addresses is what’s known as “boxing” or “tagging” – being able to make up new variants of your email address on the fly. How that’s done varies depending on the mail system you use, but typically you’ll be able to add a string to the end of your email address, separated by a “+” or a “-”. For example, if my main email address is steve@blighty.com I can create a tagged address like steve-blogspam@blighty.com. They’ll both be delivered to my inbox by default, or I can use the tag to route the mail to another mailbox (either using the filtering rules in my mail client, or something like procmail or sieve running on the mailserver).

Because I’ve never sent mail from the email address steve-blogspam@blighty.com, nor given it to anyone, nor even mentioned it anywhere other than this blog post I know that any email I get to it was sent by a spammer who harvested it from this page or the blog rss feed. On the other end of the spectrum I have tagged email addresses that I’ve created specifically to give to one of our vendors, and so I know that if I see email sent to that tagged address it’s almost certainly mail from that vendor, and I should have it skip my spam filters and send it directly to my inbox or a mailbox specifically for mail from vendors.

I’ve talked previously about some of the implications of address tagging for ESPs, both for signup and list hygiene, and Laura has talked about tagged, disposable and temporary addresses from a recipient perspective. Today I’m going to touch on another aspect of them – they mean that if you harvest addresses, or purchase addresses, sooner or later you’re going to get caught.

Last month I got a mail from a senior account executive (aka “salesweasel”) at Cisco/WebEx:

Hello Steve,
I am the Cisco WebEx Solutions Specialist responsible for supporting your region.
Are you available this week or next for a brief discussion of your current business objectives?
I would like to share some creative ideas about how you can reduce expenses and increase productivity throughout your organization.
Please reply with the best time to reach you.
Best regards,

I don’t recall ever having any relationship with WebEx, and we swapped out all our Cisco networking gear quite some years ago. It could be that I gave them a business card at a trade show or somesuch, as I was vaguely looking at web conferencing providers a couple of years back – but it’s a bit odd that it doesn’t have my full name, nor does the salesweasel seem to know who my employer is. Sure enough, the mail wasn’t sent to either my personal or work addresses – it was sent to a tagged address. If that tagged address had been steve-webex or steve-cisco that would have told me that I probably had given it to them at some point in the distant past.

It wasn’t, though. Instead it was a tagged address that had only ever been used for one thing – it was used to register a domain that’s used primarily to host the CBL blacklist’s website. So WebEx or, more likely, the salesweasel is harvesting email addresses from whois in order to send spam to them, or is buying lists of addresses from someone who did. Given that they’d have to violate their agreement with the .org domain registry to do that, it’s clearly unethical business behaviour (and possibly even punishable by a fine or imprisonment of no more than one year).

I just caught a potential vendor playing fast and loose with privacy. At the very least, that makes it unlikely I’d use them unless I got a really good explanation as to how this happened, and how they’d prevent it happening in the future.

It’s bad marketing, and the more technically literate your target demographic is the more likely they are to catch this sort of behaviour, and the more they’ll hold it against you. If your company doesn’t have a policy against this sort of address acquisition, it’s a good time to think about one (“Don’t do that.”). And if you do have one, check that your salesweasels are aware of it, and that it applies to email addresses bought from jigsaw or appendleads or zoominfo or emailappenders just as much as it does to that CD of fifty million email addresses they bought from a guy in a bar.