Marketing’s Weekly Dose of the Truth

Ken Magill

About Us

Now? Really? Spamhaus Blacklists Retailers for Typos

12/18/12

By Ken Magill

In an apparent first, anti-spam outfit Spamhaus has been blacklisting major retailers—among them Gap and Gilt—for email sent to addresses with typographical errors.

The typos are believed to be the result of addresses incorrectly entered into the retailers’ databases at point of sale as part of their e-receipts programs—paperless systems that allow customers to have receipts delivered to their inboxes.

Spamhaus maintains a list of IP addresses its volunteers deem are sources of spam. Some email system administrators and Internet service providers use Spamhuas as part of their spam filtering formula.

Spamhaus is popular enough that listings on its anti-spam blocklist have been estimated to result in as much as 60 percent of the sender’s email being undeliverable.

As a result, Spamhaus’s block listing of retailers for typoed addresses collected at point of sale is troubling for a number of reasons. For one thing, these are addresses supplied by customers—presumably happy customers who are prime targets for other pitches.

And, of course, the timing of these listings—the 2012 Christmas-shopping season—is horrendous.

According to Spamhaus, if the emails to typoed addresses were simply transactional one-offs, there wouldn’t be a problem.

“The issue is that typoed email addresses are being associated with customer accounts and receiving all sorts of email (transactional and marketing both) without ever being confirmed,” Spamhaus said in its listing for Gap. “In other words, the problem is not with misdirected one-off emails, but ongoing emails to these spamtraps and (presumably) other mistyped email addresses.”

Moreover, according to Spamhaus, if the retailers would opt their point-of-sale acquired addresses into receiving email with a confirmation message requiring recipients to respond, there wouldn’t be a problem.

However, merchants are understandably reluctant to employ fully confirmed, or double opt-in—where the recipient must respond to the confirmation massage in order to receive further messages—with these addresses.

Experience has shown a large percentage of recipients don’t respond to confirmation messages and not necessarily because they don’t want to hear from the sender. 

For example, The Magill Report’s confirmation drop-off rate during confirmation has been as high as 40 percent.

The one glaring question in all this is: How does Spamhaus know these retailers are sending to typoed addresses?

I contacted Spamhaus to find out. I received a reply from Spamhaus volunteer Tom Mortimer.

Rather than selectively edit his responses, I figured it would be most prudent and informative to include them in their entirety. Here is our exchange, which consisted of two emails each. I have cut and pasted his answers directly below each question in my two messages:

Magill Report, originally sent to Spamhaus chief executive Steve Linford: Question: The only way I can see this listing as possible is someone at Spamhaus has fed Gap spamtraps during a purchase. Is that true?

http://www.spamhaus.org/sbl/query/SBL168458

Otherwise how could your volunteers know Gap is marketing to typoed addresses?

Spamhaus: Hi, Ken. Tom Mortimer here at Spamhaus. The GAP SBLs were not mine, but I have listed some other companies for the same issue. We are convinced that the problem in all of these cases is bad data collection at points-of-sale.

This is how we came to that conclusion. Among our spamtraps we have a few domains that are similar to widely-used legitimate domains. We call these "typotraps" because the spam that they receive often shows evidence of having been a typoed subscription. (Among other things, a great deal of transactional email and email sent to what appear to be actual user accounts.)

Admittedly, our assumption that this email is due to a mistake somewhere in the email collection process is that -- we do not know it to be the case. But we believe that the probability is quite high. The good news is that a company who makes mistakes in data gathering at a point-of-sale is not a company who purchases lists, hires an email appender, or in some other way deliberately sends unsolicited bulk email. They're not bad guys. Most of them, if shown evidence of a problem, want to fix it.

The issue has come up now because we saw a significant uptick this fall in spam from retailers, many of them retailers who had not figured significantly on our radar in the past. A few of us took a close look at which spamtraps were receiving hits to see why there was a sudden influx of spam from companies that had not spammed previously. We found that most of the spamtraps were at typotrap domains, and worked from there.

Magill Report: Thanks Tom:

Not that you should care what I think, but I'm a bit torn on this one.

I know where Spamhaus is coming from and believe it performs a necessary service, but I can also see where a merchant would hesitate to closed-loop confirm an address that was provided at point of sale.

Spamhaus: So can I. The team member responsible for the Gap listings had a lengthy email exchange with Al Iverson at ExactTarget, [Gap’s ESP] and he brought up the same issue.

Our initial communication about the problem was poor, and we also needed to consider the issue from more angles than we had. The conclusion was that the problem was not due to sending the initial receipt, but the ongoing email (both transactional and marketing) that was sent to the wrong email address, often not even providing the innocent bystander whose email address was provided in error with any means to opt-out or notify the sender of the error.

We concluded that there were at least two responsible ways of handling the problem. First, companies could simply send the receipt and then not keep the email address. They could mitigate the problem of repeat mistakes (usually by some user who doesn't know their own email address) by including a "this is not me" link so that errors could be reported.

Second, if a company wanted to send follow-up email to an email address gathered at a point of sale, then they could confirm it before adding it to an existing user account or sending further email after the receipt. I don't see any objection to offering some incentive to confirm, such as a discount or free item, if the company wants to increase the odds that the user will confirm.

Magill Report: The other typoed addresses they're presumably sending to will bounce and get removed. The ones they're getting listed for don't bounce because they're Spamhaus addresses, right?

Spamhaus: I wish this were the case. If it were, we wouldn't have an issue. The other typoed email addresses are frequently real email addresses, however, just not the email addresses of the people who provided them. What a typotrap catches are errors in the domain. Mistakes happen just as frequently in the username portion of the email address. When somebody typos a username at a popular and widely-used domain with many users, that typo often goes not to a dead end but to a different user.

Earlier this week I responded to a blog that Laura Atkins [principal, email deliverability firm Word to the Wise] posted about this very issue. So did three other people. Two reported receiving receipts and then marketing email for other individuals to their own email addresses. It hasn't happened to me yet, but my name is not uncommon in the UK and the email address that I use for non-Spamhaus communications is at Yahoo. I would not be at all surprised to find myself receiving some other Tom Mortimer's e-receipts and bulk email at some point.

Magill Report: I'm not planning on a Magillesque rant on this but these listings do seem a little harsh to me, especially now.

Spamhaus: I can see why. I'm not a retailer or marketer, so I tend to forget just how important Christmas is to many companies. At the same time, it makes sense that this issue was going to raise its head most noticeably during the leadup to the Christmas holiday this year. Half of us first got smartphones this year (the tardy half), and so many retailers are now taking advantage of it.

Comments

Show: Newest | Oldest

Post a Comment
Your Name:
Subject:
Comments:
Verification:
Please type the letters in the image above

Terms: Feel free to be as big a jerk as you want, but don't attack anyone other than me personally. And don't criticize people or companies other than me anonymously. Got something crappy to say? Say it under your real name. Anonymous potshots and personal attacks aimed at me, however, are fine.

Posted by: Brendan
Date: 2013-03-25 12:21:07
Subject: speaking of typos

It does seem an awful lot of trouble to require a confirmation massage in order to opt in. Must be an easier way.
Posted by: James Mounsey
Date: 2013-03-16 14:40:47
Subject: Spamhaus

I have been trying for the past three days to send UEGENT Emails everytime I have been blocked by the above people, thiis has resulted in the loss of two contracts worth several thousand pounds, I have tried to contact the above compant with no result, I cant even get the web page.
I often travel from Ireland to the UK and have had no problems with Email befor, if I get my hands on this stupid person who has caused this disruption for me I will casterate him.
Posted by: Clarity
Date: 2012-12-26 15:53:02
Subject: Inconsistent Policy

Steve was kind to offer further perspective, but his response only highlights Spamhaus' inconsistencies. While they have always advocated COI, until now, they haven't used tools which were sure to catch otherwise clean senders, but for their lack of COI. Previously, they would catch those using aggressive acquisition techniques as opposed to those who do not confirm opt ins. It's still unclear why Gilt is different than Gap and if these senders need to move ENTIRELY to COI before being delisted. I don't understand if Spamhaus mandates and ALL COI Internet, or if they are just allowing certain senders to skate on it if they are not otherwise abusive.
Posted by: Steve Linford - CEO Spamhaus
Date: 2012-12-25 08:15:57
Subject: Re: Spamhaus Blacklists Retailers for Typos

We are sort of half with you on this one Ken, we don't want to frustrate legitimate marketers and especial not retailers such as Gap, however it's difficult to reconcile telling senders that all bulk mail sent to Spamhaus users must be COI while at the same time saying "Well if you're Gap you don't need to care about COI or SBL policy, just bulk away to non-COI and we'll tell our users to regard you as the exception to the policy".

What we are doing currently is trying to make large retailers who refuse to use COI aware of the issue by flagging them in SBL listings but - note - as in the case of SBL168458 which you link to in your article, that these SBL listings list the IP address as "...0/32" - which is not actually blocking them (because nobody runs mail servers on ".0"). It was changed to 0/32 as soon as the issue was raised. We use "0/32" listings as flags to alert the senders and their hosts to an SBL policy issue but without actually blocking them, our way of warning that they're violating SBL policy and we will have to enforce SBL policy if they ignore the issue.

The reason we must highlight the COI issue with some big retailers is that when we buy online we trust the retailer with our private email address for purchasing or delivery problems and inevitably with some that trust is lost when we then start receiving junk to those addresses. A world tired with receiving junk to addresses they give retailers who won't let an online purchase continue without an email address is a world that learns to enter made-up email addresses or "president@whitehouse.gov" into the forms instead - to retailers who are happy to assert that the made-up address or indeed The President has fully subscribed to a ton of bulk mailings when to all normal minds they have not. In our view retailers shoot themselves in the foot by leaving this avenue for abuse open and Gap urgently needs to address their problem (which has been ongoing since June). COI has been Best Current Practice in mailing list management since at least 1996.

While it's true that COI has a drop-off rate during confirmation, I would argue that the drop-off rates you see are due quite simply to logical reasons: (1) User has entered a bad address and did not get your COI request. (2) User was not really that interested and having had a minute to "cool off" has now decided not to subscribe. (3) User actually couldn't give a damn, did you really want them that badly? They'd probably have pressed the "this is spam" button later. (4) User gave someone else's address and that recipient chose not to confirm. (5) Your COI request arrived looking like just another advert to press delete on.

BTW, Merry Christmas Ken!

Steve Linford
Chief Executive
The Spamhaus Project
Posted by: James S. Huggins
Date: 2012-12-25 01:02:20
Subject: Smamhaus

I second the comment from Annalivia at 2012-12-19 05:19:50, to witL
"I think it's pretty simple: email addresses used for transactional mail should not be used for marketing email without permission"

i.e., without double opt-in/confirmation.


.
Posted by: No One Ever
Date: 2012-12-21 10:24:02
Subject: What I hate

"I keep getting all this genuine transactional email which contains no personally identifiable information and was sent by a genuine company. THIS is the problem with the internet"

Said no one ever.
Posted by: AlphaCentauri
Date: 2012-12-20 13:34:14
Subject:

Just because a customer provided an email address when they made a purchase doesn't mean they gave their own email address. Retailers often make it impossible for customers to take advantage of certain discounts/premiums without handing over private contact information like email addresses or cell phone numbers. They can't be surprised they get fake email addresses when the customer's motivation for providing the information was something other than a desire to get email.

You also have to consider that people play pranks. They give their friends'/enemies email addresses out, just like they used to sign them up for magazine subscriptions back in the day. Spammers in particular like to play pranks when they identify spamtraps by giving those addresses to as many legitimate retailers as they can, just to discredit organizations like Spamhaus. If you don't use double opt in, you're going to get dirty lists.
Posted by: Pragmatisto
Date: 2012-12-20 12:28:42
Subject: Not Ideology

Richard's statement, "Spamhaus policies are driven by the views expressed by their users: if that were not so, their users would move away" is not an accurate representation of reality. ISPs use Spamhaus not for ideological reasons, but for pragmatic ones. The SBL stops lots of very bad spam and blocks only a small amount of mail which is generally 'wanted' by a significant percentage the recipients. ISPs do not have an infinite list of scalable options in this arena. All filtering misses some bad guys and catches some good guys so a decision has to be made about which one to use. That Spamhaus is no utilizing a new tact which will (and has) resulted in listings of companies who would have NEVER otherwise hit a traditional trap is going to skew how much 'wanted' mail they will be blocking going forward. I also disagree that a customer would ever give over any of these typoed traps as a customer would be much more likely to make up an address in the user portion, or use an older address, rather than say, "My email is bob@yahoo.com but please spell 'yahoo' with three 'o's." I predict Spamhaus will lose subscribers if they don't reverse this tact.
Posted by: Richard
Date: 2012-12-19 15:33:31
Subject: Typos

The number of marketers who - despite all warnings - continue to add what they believe to be customer addresses without the customers' informed consent, is still far too high. Many customers are now alert to this happening, and when a sales clerk demands they provide an email address, will quote a bogus or munged address. Spamhaus policies are driven by the views expressed by their users: if that were not so, their users would move away. But Spamhaus' users are not moving away - they do want this type of mail filtered (regardless of what marketers may claim) and that is why Spamhaus upholds these policies.
Posted by: Jen
Date: 2012-12-19 15:12:35
Subject: Spamhaus do your job

Does anybody agree that Spamhaus is malicious in purchasing these typo domains to trap legitimate marketers who have misspelled addresses on their file? How about letting the email hard bounce and allow the marketer remove from their file rather than bringing down their entire email marketing program at this time of year? I would like to see Spamhaus focus more on taking down actual spammers rather than the US Marketers who are abiding by the US laws. I think Spamhaus lost their way a long time ago.
Posted by: Annalivia
Date: 2012-12-19 05:19:50
Subject:

I think it's pretty simple: email addresses used for transactional mail should not be used for marketing email without permission.
Posted by: Stephanie Miller (@stephanieSAM)
Date: 2012-12-18 18:39:16
Subject: Spamhaus

Thanks for sharing all that, Ken. Although I always like a Magillesque rant!

Seriously, Spamhaus has a lot of power,and marketers feel helpless before them. Spamhaus does great work in the anti-spam effort and they are respected by the receivers for it. However, neither they nor the receivers really care about marketing messages. The fact that they shut down Gap email during holiday season without consideration for the business impact proves that once again. (Of course, they don't work for marketers, so it's okay - it's just incredibly frustrating for marketers.)

I'm at the DMA and we are starting to think about ways to foster better understanding, launch complementary services or maybe something else. We are also holding an open forum session (not SH specific) at our Email Evolution Conference in Feb to come up with ideas.

Love to hear your thoughts - send to me or Ken (if you are cool with that, Ken?)

smiller AT the-dma DOT org

Thanks!
SAM
Posted by: Ben
Date: 2012-12-18 18:34:43
Subject: Email fiscal cliff

Neither marketers nor SH wants to compromise on COI. When SH blocks brand retailers during the holidays, the only losers are consumers. Just as in Washington, without some compromise, both parties only continue to look worse when this keeps happening. SH needs to utilize reputation systems beyond spamtraps, and marketers need to bolster their anti-fraud and verification tools. If both parties really care about consumers, then something will change. If only there were some mediation service to help them work on the compromise....
Posted by: Jenny
Date: 2012-12-18 18:25:13
Subject: Ever hear of unsubbing?

Why can't people just use the unsub link instead of going for spam? It's not like Gap is sending porn or phishing.

Maybe the ISPs and SpamHaus should educate readers on what spam is vs an email you get by accident or one you'd like to stop receiving.
Posted by: Anon
Date: 2012-12-18 16:35:08
Subject: Mission Creep

Spamhaus are beyond their remit here.

They are intended to help combat networks of spammers - botnets and fraud gangs - everyone supports that mission. Forcing what they perceive as best practice on legitimate companies, and blocking significant revenue streams until they comply is unreasonable and over zealous.

SH is on a worthy mission, which is being undermined by fundamentalists holding legitimate companies to ransom.

Companies are required to comply with the law. If they are doing so, SH has no right to issue a block.
Posted by: BYOBB
Date: 2012-12-18 15:53:37
Subject: Typo

While Spamhaus champion's COI, until now, their methods targeted senders using either poor data hygiene or aggressive tactics (append, dictionary attacks, scrapping data). To purposefully target typos puts virtually every retail marketer at risk as COI is very rarely used by marketers. I dare say that it is rarely in use at the
companies who run major inbox providers that subscribe to Spamhaus.
This move will either make the entire Internet use COI, or it may be the beginning of the end for Spamhaus
Posted by: Matt Rotroff
Date: 2012-12-18 15:47:32
Subject:

This really doesn't seem right from either side of the fence. If a mailer is getting verbal opt-in at the POS and no bounces are returned from addresses with honest typos, then how can we stamp them as a spammer? 60% blocking is huge. When you're talking about numbers on this scale you need to be grading senders on a lot more than a few typos.

Look at the requirements for an RP cert, which is a great reputation boost. Shouldn't at least half that amount of criteria be used when deciding to basically bring a sender like Gap to their knees?
Posted by: Daniel
Date: 2012-12-18 15:39:55
Subject: Wow!

From Tom's last reply: "I'm not a retailer or marketer, so I tend to forget just how important Christmas is to many companies."

How can anyone who has anything at all to do email not know how important the holiday season is to retailers? Marketers are at the mercy of someone who says that to get their emails to the inbox. That's sad.
Posted by: Laura
Date: 2012-12-18 15:28:35
Subject:

There's an answer to your question of how do they know they're typos. They don't. They might be fake addresses customers are giving retailers. Or they might be fake addresses retail clerks are adding because of address collection quotas imposed by the retailer.

Attributing mail is sent to typos assumes that the retailer is actually not implementing bad practices and are trying to only send mail to customers.

Return Path