Spamcop: Declines to send reports to ESPs

If you work the abuse desk for an email service provider, you've undoubtably gotten spam reports from angry Spamcop users who think that your ESP, your employer, is "refusing" Spamcop reports.

Truth be told, Spamcop disallows reports to be sent to email service providers (ESPs) if that email service provider doesn't require 100% confirmed opt-in of all clients. This effectively means no ESPs receive Spamcop reports, as just about any ESP is going to allow a client to upload a list. There's legitimate reasons for this; if people opted-in during purchase doing a commerce purchase on a different platform, or if a company switches ESPs, for example. They have a list already ready for use, the people on the list did truly sign up to receive email messages from that company, a confirmed opt-in (or double opt-in) confirmation isn't necessary.

Some people may disagree with my take on when COI/DOI is required. That's fine, but that's not the point.

The point is, Spamcop explains this policy poorly. Their system has historically provided a misleading error message to their users saying that any given ESP is "refusing" reports from Spamcop -- making it sound like Spamcop wants to send the report, but the ESP will not allow them to do so. That is simply not the case.

Spamcop has long had this policy, though it's not well documented. (And to be clear; I think it's a perfectly fine policy. It's not what I would do if it were up to me, but it's not up to me and reasonable people can and often do disagree. I just wish it was better documented.)

Here's the best source of proof for this policy I can find online. This 2011 Spamcop forum discussion thread starts with a post from Spamcop (Cisco) employee Kelly Molloy explaining that "we decline to send [Spamcop reports to various ESPs] because our policy is to only send reports to ESPs that send only confirmed opt-in (COI) email."

She adds, "There are basically only a few reasons we don't send reports:

  • 1) We know the entity listwashes.
  • 2) Reports are bouncing.
  • 3) The responsible party told us they didn't want reports.
  • 4) It's a non-COI ESP."
And now you know. I'm documenting this information here, purely as a public service, to make it easier for the next interested party to find.

Steve's Co-Reg Inbox Saga

Periodically I create a virgin Gmail account and sign it up for something, to see what other kind of stuff might end up in the inbox. On February 22, 2010, I clicked on a single "free ipad" co-reg marketing ad, and left the checkboxes checked. I watched the mail coming in for a while, but then forgot about it.

Flash forward to July, 2016. The Gmail account is still receiving marketing mail. Mostly from "Steve" of "Worldstart.com" who apparently doesn't care about mailing addresses that haven't shown any source of life for six plus years. "Steve" is mailing that virgin Gmail address two to four times per day, and has been since April, 2013. Actually, no, it looks like "Steve" was called "Big Daily Sale" before that and has been mailing that address for even longer.

Steve seems to have a dedicated IP address running Lyris software, 207.126.63.228, which has a sender score of 82.

Is it spam? I'm not sure. It might have been one of the original co-reg things I allowed the address to be signed up for, but the brand name changed at some point, and I certainly didn't sign the address up for email from "Steve" directly. And if they're ignoring subscriber engagement, I don't doubt that they're having inbox delivery issues. ("Steve's" mail seems to be going back and forth between the inbox and spam folder in this Gmail account.)

What I can tell you is that I don't think being like "Steve" is the path to inbox success.

Wired on Email Reputation

Word to the Wise's Laura Atkins is quoted in this article from Wired, "Mailchimp Sends a Billion Email a Day. That's the Easy Part." It's not a bad primer on Email Reputation 101, and why you can't just shovel spam at ISPs and except them to take it.

Author Klint Finley explains: "What many people don’t realize is that today’s spam filters don’t just scan an email for questionable keywords, like references to pharmaceutical products or porn. Nor do they look merely at the email address of the sender. Crucially, they also look at the servers sending the email. Most of today’s biggest email services, such as Gmail, Yahoo Mail and Outlook.com, use reputation scoring to rank the likely spamminess of a server that’s sending an email. Think of it as a sort of credit rating for email senders."

Read more >>

What is SPF Lockdown?

I've been asked this question pretty regularly: How do I tell the world that a certain domain of mine isn't valid for sending email? What about typo domains, bad domains? How can they configure things to tell the world that no legitimate mail should have this domain in a from address?

Easy! You do it with what I call an "SPF Lockdown." SPF (Sender Policy Framework) is a simple way of telling the world what IP addresses are allowed to send mail for your domain. In this example, we're going to tell the world that NO servers are allowed to send mail for a given domain. To do that, create a TXT record in DNS, at the top level of your domain, and put this value in that TXT record: v=spf1 -all

The "v=spf1" is what you preface an SPF record with, when creating it as a TXT record in DNS. The "-all" means "hard fail" any mail that doesn't match the list of "mechanisms." In between, you would usually put a list of IP addresses or other information that says which servers are allowed to send that mail. Since you've included none, any mail using this domain will always fail an SPF check. No servers are allowed to send mail for that domain.

There you go, that's all there is to it. Now, any email server, email software, or anti-spam software that checks SPF records will know that any mail using that domain name in its from address is invalid. Here's an example you can lookup showing an obviously bogus domain name and how its SPF record is configured.

LinkedIn for list building: Still bad news

It's been just over five years since a particular goober harvested his LinkedIn contact list and spammed me and a bunch of other folks. Consider that the next time it happened, with somebody else doing it, was just now, I guess that means that it's safe to say that not EVERYBODY plans to use LinkedIn to haphazardly build their list. I think it's good that perhaps most folks wouldn't think of doing that. A five year interval is better than a five week interval. But the couple of times it has happened to me -- and when I've observed it happening to others -- it always seems to be a "digital strategist" or "email strategy expert" behind it.

Real email marketing experts don't send spam! I'm sure you're all very nice people and the person in this latest incident seems like a nice enough guy. Maybe we'll get to work together on a project with a mutual customer. I'd like that.

But I do have a problem with you taking your LinkedIn contact list and importing it into an ESP and sending to it. That's spam. It wasn't cool in 2011, and it still isn't cool now.

(I'm not even calling this latest guy a goober. He just needs a bit of education. That previous guy who did it, he wanted to argue about it for days, then resorted to name calling when the discussion didn't go his way.)

Apple iOS 10 to support List Unsubscribe

Various online sites are reporting that Apple's iOS operating system version 10 is going to add support for the list unsubscribe header found in many email messages. In case you're wondering, it does sound like this unsubscribe feature supports the "mailto" version of the list unsubscribe functionality. A reddit user posted an example of a generated unsubscribe request here. I'm unclear as to whether or not it will support the "http" version of the list unsubscribe functionality.

The beta version of iOS 10 was released just yesterday, and the full public release is expected to happen sometime this fall.

FBI Raids Spammer Outed by KrebsOnSecurity

Another spammer put under the microscope! Brian Krebs reports on the FBI arrest of Michael A. Persaud, reported to be one of the world's top ten spammers.

Sanford Wallace gets jail time for FB scam

Ah, Sanford Wallace. 1990s spammer, widely blocked and blacklisted, one of a few big bad spammers who made the rest of us realize that spam was a real problem and that we had to do something about it.

Way back in 1999, in a Usenet discussion thread about Sanford, one of my fellow spam fighters asked this question: "My question would be when Wallace is going to find another loophole that allows him to cost-shift his advertising? If he could find a way to print flyers and get them glued onto everyone's car, then sue them for removing them, I'd bet that he'd do it. He's just that kind of scumbag."

Uh, well, here's something. "Last August, Wallace admitted to compromising around 500,000 Facebook accounts, using them to send over 27 million spam messages through Facebook's servers, between November 2008 and March 2009."

When is a phish not a phish?

How about, when the email is actually legitimate? But, how do you know, if the company isn't using their brand or company name in the from address? John Levine shares a scary example of what turns out to be a legitimate email, just with really, really poor branding. It makes me seethe, because it goes against everything we're supposed to be teaching end users to know about how to tell a good email from a bad one. (For more on what phishing is, click here.)

Can't send to Dad, sorry.

"Send to Dad by Sunday midnight!" the email's subject line exclaims. My father is currently in hospice care. He isn't reading a lot of emails. He probably doesn't need this valuable offer.

This reminds me a lot of the multiple "Don't miss out on Mother's Day reservations" emails from last month. My mother was cremated at the end 2014, so she probably doesn't need a reservation.

But please keep reminding me of the past and pending deaths of people dear to me, marketers! It's thoroughly endearing-- kind of like an un-ending emotional colonoscopy.

My mother passed away right around Thanksgiving in 2014. When Thanksgiving rolls around, that doesn't itself get me down. It's the explicit reminders that marketers blast via email and Facebook on those couple of holidays that actually suck.

It only took about a year after our last dog died to get the vet to stop sending us "it's time for Solly's checkup!" reminders.

You'd think marketers would do better at making it easy to stop this kind of thing.

They don't, though.

Internet, Web Enjoy One Final Day As Proper Nouns

I have never liked capitalizing internet or web, previous versions of the AP Stylebook be damned. I guess I'm some sort of trailblazer or something, because now my way is the right way, because the latest version of the AP Stylebook says it is no longer appropriate to capitalize the words internet or web.

Putting the "free" myth to bed

Word to the Wise's Laura Atkins, like me, often gets asked about words to avoid in subject lines. Is it OK to use the word "free" in a subject line? I read that causes spam filtering! Not true, Laura patiently explains. Like Laura, I've been trying to explain that to people for years, myself. Back in 2007, I wrote:

"Since when did the world "free" become a bad word?" The answer is: It didn't. It's not. The vast majority of spam content filters don't do anything so simplistic as to filter or block a message just because it contains the word "free." Don't be afraid to use the word "free." If you're not sending spam, it's not likely to get you blocked.

Still true today.

Scott Walker's got a list for you

Why does it seem like all politicians are spammers?
Want to spam everybody who signed up for emails from Wisconsin governor Scott Walker during his failed presidential bid? That'll cost you $10,500. Makes me wish I had signed up for his email list, so I could see what kind of junk he's allowing people to send through today.

Boy, that'd make me mad if I signed up for his email list and started getting random ads for unrelated things. I don't know about you, but I try not to give my email address out to people who plan to share, sell, or repurpose it after the fact.

What is phishing?

Not this kind of fishing.
Somebody asked me recently, what is phishing? Instead of re-inventing the wheel, allow me to link to a few of the resources already out there that explain what phishing is and why it is a problem.

What is phishing? From Wikipedia: "Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication."

From Microsoft: "Phishing email messages, websites, and phone calls are designed to steal money." Included are examples of what a phishing scam in an email message might look like.

And here is more information from the FTC's Consumer Information site.

Outlook.com (Microsoft Windows Live Hotmail) Issues Today

I'm hearing from multiple sources that some mail to outlook.com / live.com / hotmail.com recipients is being delayed / deferred unexpectedly today.

ETA: Issues seem resolved. Not quite sure when they cleared up.

Yahoo, Gmail and Spam in the news

Yahoo and Gmail both hit the news this past weekend, and not for great reasons.

Protect Your Brand and Reputation

Today's guest post comes from deliverability consultant extraordinaire, my friend Josie Garcia. Take it away, Josie!

Did you know that senders are in control of many more reputation and vulnerability factors than ESPs?

Cisco PIX/ASA: Disable SMTP Fixup

Over on the Mailop list, a postmaster shared his tale of woe involving sending mail to a small set of recipients whose mail server is behind a Cisco PIX firewall.