Marketing’s Weekly Dose of the Truth

Ken Magill

About Us

Curious: Three Spam-Free Addresses that Shouldn't Exist

5/21/13

By Ken Magill

Conventional wisdom has it that sooner or later spam will hit an email address no matter how careful the address's owner is. I may have evidence that conventional wisdom is wrong.

For conventional wisdom, take the following blurb from About.com as an example: “All it takes to get on the mailing lists used by spammers is an email address. There is no need to sign up for anything or ask for emails. The spam just starts coming, out of nowhere, apparently without any plan, and without a reason. It invades email addresses that are never used.”

The article then goes on to explain—among other spamming tactics—dictionary attacks where spammers combine common domain names with random names and combinations of letters hoping to get a hit.

But consider this: As some readers may remember, in March of 2012 I set up three dummy accounts, one at Hotmail, one at Gmail and one at Yahoo, and signed them up for 30, 20 and 20 email lists, respectively.

The brands were a random mix of top retailers, non-top retailers, media, and liberal and conservative political lists.

With the exception of four brands that sent confirmation massages that required a response, I have not clicked on any of the messages received since I set up the accounts.

I began the experiment to see if mailers hitting a single, utterly disengaged email address would start getting shoved off into the spam folder. Some folks I respect informed me email reputation doesn’t work that way—that one disengaged address would simply register as a minuscule negative blip in the sender’s overall reputation with ISPs.

So be it.

However, in checking all three addresses yesterday, I found that just three brands were getting sent to the address’s spam folders, two at Hotmail—or Outlook as it’s called now—and one at Yahoo. No brand messages were in the Gmail spam folder. In fact, Gmail doesn’t even show a spam folder for that account.

Most interestingly, though, is that none of the accounts has any actual spam in their spam folders. No Nigerian 419 emails, no Viagra pitches, no porn, nothing.

The only messages appearing in these accounts are from senders to whom I supplied the addresses.

According to conventional wisdom, this should not be possible. The addresses are BobSimon647_at_the three providers. One would think BobSimon647 would be an easy target for a dictionary attack.

Maybe the ISPs have figured out how to prevent dictionary attacks.

One conclusion I think we can draw is that major brands are not sharing email addresses and major email service providers’ security is not as leaky as some would have us believe.

Out of signing up for 70 brands, not one subscription resulted in any of the three addresses getting into the hands of spammers.

This to me says consumer behavior is largely responsible for how much spam individuals get.

I would very much like to hear from some experts on this.

Comments

Show: Newest | Oldest

Post a Comment
Your Name:
Subject:
Comments:
Verification:
Please type the letters in the image above

Terms: Feel free to be as big a jerk as you want, but don't attack anyone other than me personally. And don't criticize people or companies other than me anonymously. Got something crappy to say? Say it under your real name. Anonymous potshots and personal attacks aimed at me, however, are fine.

Posted by: Ken Magill
Date: 2013-05-22 12:19:06
Subject: Open?

Hey Amy: No, I didn't open any of them. I subscribed and then did nothing. Thanks!
Posted by: Amy
Date: 2013-05-22 08:21:34
Subject: Open Activity?

Did you open the emails? That is supposed to also play a role with whether ISPs are sending these emails to the inbox vs. the bulk/spam folder.
Posted by: Martijn Grooten
Date: 2013-05-22 04:31:00
Subject: spam

I have done the same, except at a larger scale, at my own domain, and for a longer period of time. Since the summer of 2011, I've subscribed about 700 addresses to as many lists/newsletters/mailings. Apart from confirming subscriptions to those using COI (roughly 1/3rd of them), I have never clicked any link, responded to any email etc. Only a very small number of these addresses (five if I'm not mistaken - four of which were caused by the same breach at an ESP) have started to receive spam. I am still happily surprised by that. I do think your email address is a lot safer at ESPs than it is at your friends' mail clients - after all, most ESPs make some effort to protect your address. I do think the lack of engagement may skew things a bit. These organisations know nothing about me, not even my name or address (when these were required for subscribing, I submitted fake ones). That makes them not very valuable compared to, say, addresses of real customers.
Posted by: Justin Khoo
Date: 2013-05-21 17:44:27
Subject: spam

A lot of the major ISPs drop or reject mail from blacklists completely so they don't even get to the spam folder. So a better barometer on whether you get spam is to have a self-hosted account ie. myaccount1234@kenmagill.com. Not saying that you would start seeing spam that way but it may play a small part.
Posted by: Jon Raney, ThomasNet News
Date: 2013-05-21 16:27:25
Subject: spam

Hi Ken I'm not sure the experiment quite proves the assertions, or perhaps maybe the About.com article is too broad or is a specific spamming circumstance. My feeling is that targeted spam more frequently occurs when you engage rather than disengage. And spam folder placement from disengagement is more related to the sender and the size of that senders' list and how many inactive names are on it. Also there is no chance you are registering an open on any of these accounts you set up right? *does non-engagement result in spam folder placement eventually *does having an email out there eventually result in spam coming to that address? Yahoo is the one that is more noted for being aggressive with spam folder placement for disengaged users. The others lag behind a bit. As an experiment I would try clicking on some for a while.
Posted by: Bill Kaplan
Date: 2013-05-21 16:12:32
Subject: Interesting data on spam

Very interesting data, Ken. Your study highlights a few important points that might be at odds with conventional wisdom: 1) While there is much discussion regarding ISPs' use of engagement metrics to determine inbox placement, this is rarely happening in practice 2) Email marketers place tremendous value on their opt-in databases and almost never share these with others 3) ISPs employ sophisticated processes to detect spam , thereby making dictionary attacks relatively easy to prevent. 4) Web scraping is harder to catch so masking your email address as you did in this article is definitely a precaution worth taking. Thanks for the interesting study, which also happens to be statistically significant. Ever thought of a sideline career in market research? :)
Posted by: Ken Magill
Date: 2013-05-21 15:55:08
Subject: Re: Will I get spammed now?

I had the exact same thought. I purposely didn't originally tell readers the addresses because I wanted them pristine. If they start to get spammed, I will report.
Posted by: Luke Glasner
Date: 2013-05-21 15:37:16
Subject: Post it for harvesting

Hi Ken, I have done similar things with my email addresses over the years. One thing I noticed was that addresses that I never post online get virtually no spam even after a few years as a live account. One's that I post on my site often do get spam after a few months. So my guess is that spammers find illegal harvesting of addresses online easier than running dictionary attacks. I have also found that emails that we did not post online but got a lot of spam randomly from spammers tended to be much simpler than the address above. So if it was just Bob_at_Provider or Bob647_at_provider I think it would be more likely to get picked up that way. Most of my experience is in B2B email and the biggest problem found using addresses like FirstName@Company.com, those that used a naming convention like First Initial.LastName@Company.com had less spam than the just FirstName@Company. my two cents worth :-) Luke
Posted by: Dan
Date: 2013-05-21 15:18:44
Subject: Will you get spammed now?

I wonder if the fact that you put the username portion here, will you start to get spam at any of those emails. Spammers are very creative and could be scraping pages for anything that looks like the portion before the @ sign. If you do start to get spam at some point, let us know.

Xverify