White House Spam, Signup Forgery, and GovDelivery

As guest blogger Jaren Angerbauer mentioned on Friday, after this whole White House spam email debacle, they promised to "implement measures" to verify and validate email addresses. So far, there's no externally visible proof that they've actually implemented any such measures, the most obvious one being a simple and clear double opt-in (aka confirmed opt-in) signup process.

Double opt-in is the easiest, the simplest way to ensure that recipients are not signed up for mailing lists accidentally or otherwise against their will. It's especially important (and especially lacking) in the realm of political email, sadly.

Both my friend Mickey Chandler and I have been forged subscribed to political mailing lists on numerous occasions. This is not limited to any single political persuasion -- between Mickey and I, our politics cover both sides of the aisle, and we've both been forged subscribed to the opposing party's mailing list(s).

Back in 2004, a coworker thought it would be funny to sign me up for an email list for a political party other than my own. Ha ha, it was hilarious. Not. What was especially un-hilarious is how no matter how many times I unsubscribed, I kept getting more unwanted garbage, from different, but politically-affiliated senders. This one single list signup got me on one single list, but that entity sold or shared that email list with about a gazillion more entities.

That address, abandoned since 2006, is probably still receiving that political spam to this day. Whoever my ex-employer chose to forward that address to after I left that job, I hope they're enjoying it.

It was good to see the spotlight shone on this practice, due to what the White House did. Taking list data from multiple politically-related groups, combining that data, and calling it "your list" is hardly a new practice, but it's an awful practice. A stupid practice. A spammer practice.

It doesn't matter if I share your political beliefs. If I didn't sign up for it, it's spam.

According to the Gawker screen shot showing the email headers, the mail in question came from the IP address 208.42.190.242. I looked that IP address up in Sender Score and see that the score for that IP address is 95, but when I dig down into the extended stats (by logging in), I see a "complaints" metric of 63. These are all 0-100 scores, and higher is better. A metric measured at 63/100 is right near the edge between good and not so good, and in my years of working with hundreds (or thousands) of senders, I know from experience that most good senders have a "complaints" metric much higher than 63. Translated: Mail from this IP address is generating a lot of spam complaints. (And lack of permission drives spam complaints.)

What is especially disappointing to me is the email service provider's response to all of this. According to Gawker, the CEO of GovDelivery (the ESP clearly referenced in the headers) wouldn't even confirm that the White House is a client of theirs. Let's get this straight: The company whose network is being used to send unsolicited email, and whose own domain names and IP addresses appear in the headers, won't confirm whether or not somebody (who is mailing from their network) is a client of theirs.

I find the implied lack of transparency and openness boggling.

I've worked with various ESPs who have had clients who prefer that references to the ESP be minimized, but when the mail comes from the ESP's IP address, and it has the ESP's domain name in the headers...if the ESP's response is anything other than, "yes, this is our client, and agree that this is a problem, and we are looking into it," then that ESP has just disappointed me severely. An email service provider should always step up and take responsibility for the mail emanating from their IP addresses. If they care about getting email delivered successfully.

2 comments:

Huey said...

Back in 2004, a coworker thought it would be funny to sign me up for an email list for a political party other than my own. Ha ha, it was hilarious. Not.

How is forge-subscribing someone else not fundamentally fraudulent behavior? I.e: why was this not, in fairly short order, an ex-coworker -- especially at a company in the email space?

Al Iverson said...

Being the one guy working to stop abuse inside of a much larger organization is occasionally a challenge, and the organization will never see everything the way you do, even if they don't happen to be evil.