How big and how often?

Averaging out the last 149,623 spams I've received, the average size of each message is 7.8kbytes.

Over the past twenty-one days or so, I've received an average of 6,959 spams a day, or 4.8 spam emails every minute of every hour, twenty four hours a day.

I'll share information like this periodically, to help others who are looking for data. Feel free to share info like this with others.

Get your Sender ID on!

If there’s one thing I wish somebody would have warned me about a few months ago, it’s this: Get proactive with Sender ID, and do it NOW!

Sender ID suddenly just became a big deal at Hotmail. If you don’t have a Sender ID record, or you don’t have it exactly right, get a move on! If you don’t, you’re going to eventually run into issues trying to get mail into the Hotmail inbox.

Here’s what you need to do, in three easy steps:
  1. Create an SPF record. Go here. Put in every IP or netblock allowed to send mail on your behalf. Include a reference to your ESP or outsource providers. Take the record you create and drop it in as a DNS text record for your domain. Need examples? Look up the SPF record for other people’s domains to get an idea of how they do it.
  2. Make sure it covers your PRA (visible from domain), too. This is the important bit. An email sent to Gmail will pass an SPF check just fine with the record covering your MFROM (return path domain or bounce domain). That doesn’t mean it covers your visible from domain (PRA). If your visible from domain isn’t covered by an SPF or Sender ID record, Hotmail problems will follow.
  3. Test it. For work, I built an SPF/Sender ID/DomainKeys tester that we use for this. But, for the rest of y’all, I recommend using this tool from Return Path. It’ll break down PRA and MFROM results. Make sure they both pass. If the PRA test fails, you mail is likely to fail at Hotmail, too.
Not everybody failing Sender ID (or choosing not to sign) is having delivery issues to Hotmail. But, it is proving to be a reputational black mark. For some folks, that’s enough to start causing problems. For others, less so-- today, anyway. Tomorrow will likely be a different story.

Remember: authentication matters. Read more on the topic, including overviews of SPF and DomainKeys, over on my other blog post.

(I'm muddling Sender ID and SPF a little bit here, in the interest of making this a short article. SPF and Sender ID are very similar; Sender ID is essentially the newer version of SPF. I've focused on putting in SPF records in place, because Sender ID is backwards compatible, and I've found it easier and quicker to do SPF alone, which covers me for both Sender ID and SPF, when done correctly.)

Tracking lots of spam for fun and profit

It dawned on me today that I haven't been logging the recipient addresses identified in the spam messages I'm cataloging and reporting data on. I think it'd be a good idea to expand my data set sideways and start adding that info, as spot checking the data has been quite insightful. I've found, for example, that spammers are dumb enough to harvest from Google Groups, because I have a fair number of recipient addresses with “...” in them, indicating they were truncated versions of real addresses I used when posting to newsgroups years ago. Then there's lots of spam directly to those newsgroup-harvested addresses, spam to addresses obviously harvested from the web, spam hitting abused co-reg addresses, and god knows what else to actual once-valid but long-dead actual user addresses.

There's one alias that is getting just a metric ton of spam, and the construction of the username portion makes it clear to me that it was an alias I gave to somebody and they misused it, or somehow leaked it to some real bad dudes. I wish I could remember who I gave the address to – but that info is stored on a drive pulled from my old unix server when I moved to Chicago. I'm dying to know which random bad actor is responsible for that bit o' feed, because the mail it's getting is so far from CAN-SPAM compliant that it's not even funny.

Even though I'm getting more than six thousand spams a day, I've only been tracking an average of 2200 a day for the past forty-one days. At first I had to do a lot of manual review of the spam to ensure that it wasn't accidental ham, there was a fair amount of that to be weeded out. It was easily weeded out and rules were put in place to help keep it out, but doing so took time, and I couldn't run the whole spamtrap feed through the measuring stick until I reviewed it all.

Now that this is out of the way, the only things holding me back here and there are software bugs and/or server issues. Occasionally the drive on the server handling this mail fills up, so I had to do a lot of fancy coding around that, to make stuff sit and pause and wait for the disk usage to come back down. That's no fun. But now that I'm able to work around it, I should start consistently logging data about at least five thousand spams each day.

Here's some random statistics for you. I recently added Gmail bulk foldering to my spam results, and so far I'm seeing that Gmail is only 88.8% affective against my spam feed. Meaning, 11.2% of spam I receive is not going to the spam folder in Gmail. Of the 92,730 spam messages I've tracked so far, over the past forty-one days, they have come my way from 68,516 unique IP addresses, and 58,022 unique /24 blocks.

Just yesterday it dawned on me that I should start tracking domains used in spam. I decided to focus on from lines, and log unique from domains that actually exist. Just since I turned it on, I've tracked over 5,500 unique domains. I have a few ideas of neat things I can do with this data, after I compile enough of it, but I'm not sharing any of those secrets quite yet.

What I will share though, is information showing what IP addresses and netblocks actually send me the most spam. It'll be interesting to see how it compares to what other people are seeing on their own mail streams. Look for that soon!

Are you a good blogger?

OK, not spam related, but still topical. Hot on the heels of my own post on the top ten dos and don'ts of blogging comes this whiny article from Pete Blackshaw, published on ClickZ.

Pete probably should quit blogging; he sounds tired. As for the rest of us, there's a lot of info just waiting to be shared with the world, and blogging is a good way to get it out there. I'm not tired. I love it, and want to see more people doing it.

(I promise that the non-spam posts here will be very rare. There's nothing I hate more than off-topic posts on a specialist content blog...remember, kids, do as I say, not as I do!)

Sweepstakes and List Building

Jamie Schissler, Strategy Director at Avenue A | Razorfish, has this to say on the topic:

Having worked in the promotion marketing space, I love sweepstakes. They should be a staple in every brand and marketer's toolbox, and I've seen them executed with tremendous success. But just as you wouldn't use a tape measure to drive a nail, sweepstakes are not particularly effective for database growth and development. As a promotional strategy, they are great; as an acquisition strategy, less so. Let sweepstakes supplement your acquisition activities, not spearhead them.

Always good to see somebody agreeing with me on that subject. I've seen many senders run into many issues by using a sweepstakes as a list building approach. It's definitely not something I personally would recommend.

Switching hats for a case you're wondering which address(es) of mine started out legit but ended up geting the most spam? It was the address that I gave for a sweepstakes in 2003. Buried in the T&Cs was legalese that said they were allowed to sell my address, and wow, did they ever. This address now gets every kind of spam with every kind of falsity and deception. Bad subject lines. No postal address. No way to unsubscribe, etc. All traced back to this one address that I used in this one place.

As a consumer, this was a huge turnoff, that made me never want to give out an email address for a sweepstakes ever again. Yuck.

The very first spam?

Lots of people think that Canter and Siegel are the first internet spammers. Not exactly true. Long before their first excursions into bad taste in 1994, came another: Gary Thuerk of Digital Equipment Corporation. It all started in 1978, with his mass email to all the email addresses in the world (or at least as many of them as he could find and type in to his terminal by hand), advertising the latest and greatest in DEC Systems.

Read the whole story here.

I would love to say I was actively aware of this when it happened, but I can't. In 1978, I was beginning my computing career by writing BASIC programs on an HP mainframe computer to which I was connected over a 110 baud acoustic coupled modem link from a brown-paper teletype. An ASR-33, if I recall correctly. Keep in mind, that was over a hundred years ago, and I was very young.

As far as the first spams I recall personally receiving, or being involved in tracking down and blocking, that's a tough one. Frank Virga and Zvika Lichter were two well known (at the time) bad actors in the email space that I, in collaboration with many other folks, worked hard to push off the 'net. For a long time in the 90s, I had some weird/gross spam from Lichter printed out and taped to my wall at work, as an example of what spam was all about. Back then, not everybody knew what spam was, or why it was bad. I found that showing them one of Lichter's disgusting spam messages was an excellent educational tool. (I won't even described what the spam was offering, lest it haunt your next meal.)

Email Diva: Industry Standard For List-Cleaning

Over on Email Insider, Melinda "Email Diva" Krueger provides some wise advice on list cleaning best practices.

Two second summary:
  • Get non-responders off your list.
  • Test reconfirmation/renewal re-engagement methodology
I love it. If it's not yet considered industry standard practice, it's about time for that to change. Removing people who haven't clicked in years removes dead weight without killing your list. I regularly see it improve ROI, as you get the spamtraps and complainers out of the way, leaving only the people who actively want your mail and are most likely to respond. And you improve their ability to respond, by clearing out the bad addresses that cause spam filtering and blocks.

Read it, bookmark it, share it with your friends. This info should forever be ensconced in your personal "Email Marketing 101" handbook.

There's always more spam!

So, were you wondering how many average spams it takes to fill up a Gmail account?

I find today that the answer is: 280,570. Just over two hundered and eighty thousands spams is enough to make my Gmail account cry uncle. Ouch!

So, at this moment, my spamtrap is empty. I cleaned it out, making room for another 6200+ spams/day. This should get me another forty-five days or so.

It took me a bit of thinking to decide if I really wanted to delete all my spam. But, I have been logging it as of late, so I do have most of the sending IPs, subject lines, etc. logged. So, flushing away this sample doesn't really lose me all that much.

And, there is always more spam.

Ask Al: How do I publicize my new site?

Patrick Writes,

Hi. I like your blog! I run a doctor search engine, a new business looking to run a legit email campaign to get the word out to doctors. I don't know where to turn or who is legit, etc. Can you recommend anyone? Thanks for any help or referrals, etc.

Hi Patrick,

Thanks, glad you like the blog! I know it's tough starting a new site or business and trying to get the word out. I've helped others do this before, and there are actually quite a few things you can do.

As far as doing email campaigns, let's start with what you shouldn't do. Don't harvest email addresses. Harvesting addresses involves using software to find email addresses out on the internet and add them to your email list. Those people didn't opt-in to get mail from you, so if you send mail to lists like that, you're going to end up blocked fast and far and wide. It's spam, plain and simple, regardless of how well targeted it is. Don't buy lists either. There's no such thing as a guaranteed opt-in list for sale. The people on those lists don't know you, don't recognize you, and aren't keen to hear from you – they're already getting tons of unwanted spam from every other fool that bought that list. I can guarantee that such a list is going to garner more spam complaints than new visitors to your site.

If you want to get the word out via email, the way to do it is by partnering. Find sites that cater to doctors and find out what advertising opportunities they offer. I don't know a ton about this space, but a quick search says that WebMD, OneHealth, and Medscape might be places to start. Will they send an email to their list on your behalf? This type of third-party emailing is legal and common, though it can get spendy. Ask them if it's okay to send them press releases – maybe you can generate some buzz that will cause them to write articles about you, and get you free traffic and interest.

You could also partner with a list rental firm. I've guided clients toward Return Path's Postmaster Network in the past, with good results. I find them to be very reputable. Beware, though. For every good Postmaster Network, there a thousand fly-by-night firms whose lists aren't truly opt-in and who turn out to be run by people whose ethics are questionable. I'm technical enough that I've caught list rental brokers trying to deceive my clients with falsified proof of opt-in details (No, this Michigan RoadRunner user did not opt-in from an IP in London), or proof of delivery (no, an SMTP transaction handoff does not mean the recipient received it and therefore opted-in). Etc. The space is filled with bad guys changing company names every few months, selling opt-out access to lists compiled from questionable methodology. My recommendation would be to get references from anybody you're going to go with, and force the vendor to use an opt-in process, instead of opt-out, if the process involves the people being able to sign up to get emails from you later. With opt-out, the match rate is higher, and you will pay the list rental vendor more money. But, the complaints will be higher and you'll end up angering some important ISP like AOL and having to opt-in those names later. (Throwing away 90% of them in the process.)

Besides email campaigns, organic search is very important. If your field is unique enough, or you can find a unique enough angle, this actually can work pretty well. Start a blog or a content site. Write and post intelligent and relevant articles on the topic in question. Link to it legitimately by participating in blog and online forum discussions on the topic. Link back to appropriate content on your sites, but only in the context of the discussion. (Don't just post and say things like, “Hi! Great discussion. Visit my site at for more info! That's pretty close to blog spamming, and if it happens enough, Google will end up removing your site from their index. When that happens, the results are devastating and it can take months to clean up. )

Hope that helps! And thanks for your question.

Double opt-in: For and Against

Double opt-in, confirmed opt-in, email address verification, whatever you call it -- nobody ever universally agrees on whether or not you should do it. I see a lot of people in the anti-spam community try to recommend it based on their feelings. They relate specific experiences where a company annoyed them by not confirming subscriptions. Interesting, but it doesn’t always speak to senders in the language they need to hear. Unhappy anecdotes don’t provide the necessary info to convince marketers, who generally work by way of a data driven decision making process.