Now? Really? Spamhaus Blacklists Retailers for Typos
By Ken Magill
In an apparent first, anti-spam outfit Spamhaus has been blacklisting major retailers—among them Gap and Gilt—for email sent to addresses with typographical errors.
The typos are believed to be the result of addresses incorrectly entered into the retailers’ databases at point of sale as part of their e-receipts programs—paperless systems that allow customers to have receipts delivered to their inboxes.
Spamhaus maintains a list of IP addresses its volunteers deem are sources of spam. Some email system administrators and Internet service providers use Spamhuas as part of their spam filtering formula.
Spamhaus is popular enough that listings on its anti-spam blocklist have been estimated to result in as much as 60 percent of the sender’s email being undeliverable.
As a result, Spamhaus’s block listing of retailers for typoed addresses collected at point of sale is troubling for a number of reasons. For one thing, these are addresses supplied by customers—presumably happy customers who are prime targets for other pitches.
And, of course, the timing of these listings—the 2012 Christmas-shopping season—is horrendous.
According to Spamhaus, if the emails to typoed addresses were simply transactional one-offs, there wouldn’t be a problem.
“The issue is that typoed email addresses are being associated with customer accounts and receiving all sorts of email (transactional and marketing both) without ever being confirmed,” Spamhaus said in its listing for Gap. “In other words, the problem is not with misdirected one-off emails, but ongoing emails to these spamtraps and (presumably) other mistyped email addresses.”
Moreover, according to Spamhaus, if the retailers would opt their point-of-sale acquired addresses into receiving email with a confirmation message requiring recipients to respond, there wouldn’t be a problem.
However, merchants are understandably reluctant to employ fully confirmed, or double opt-in—where the recipient must respond to the confirmation massage in order to receive further messages—with these addresses.
Experience has shown a large percentage of recipients don’t respond to confirmation messages and not necessarily because they don’t want to hear from the sender.
For example, The Magill Report’s confirmation drop-off rate during confirmation has been as high as 40 percent.
The one glaring question in all this is: How does Spamhaus know these retailers are sending to typoed addresses?
I contacted Spamhaus to find out. I received a reply from Spamhaus volunteer Tom Mortimer.
Rather than selectively edit his responses, I figured it would be most prudent and informative to include them in their entirety. Here is our exchange, which consisted of two emails each. I have cut and pasted his answers directly below each question in my two messages:
Magill Report, originally sent to Spamhaus chief executive Steve Linford: Question: The only way I can see this listing as possible is someone at Spamhaus has fed Gap spamtraps during a purchase. Is that true?
Otherwise how could your volunteers know Gap is marketing to typoed addresses?
Spamhaus: Hi, Ken. Tom Mortimer here at Spamhaus. The GAP SBLs were not mine, but I have listed some other companies for the same issue. We are convinced that the problem in all of these cases is bad data collection at points-of-sale.
This is how we came to that conclusion. Among our spamtraps we have a few domains that are similar to widely-used legitimate domains. We call these "typotraps" because the spam that they receive often shows evidence of having been a typoed subscription. (Among other things, a great deal of transactional email and email sent to what appear to be actual user accounts.)
Admittedly, our assumption that this email is due to a mistake somewhere in the email collection process is that -- we do not know it to be the case. But we believe that the probability is quite high. The good news is that a company who makes mistakes in data gathering at a point-of-sale is not a company who purchases lists, hires an email appender, or in some other way deliberately sends unsolicited bulk email. They're not bad guys. Most of them, if shown evidence of a problem, want to fix it.
The issue has come up now because we saw a significant uptick this fall in spam from retailers, many of them retailers who had not figured significantly on our radar in the past. A few of us took a close look at which spamtraps were receiving hits to see why there was a sudden influx of spam from companies that had not spammed previously. We found that most of the spamtraps were at typotrap domains, and worked from there.
Magill Report: Thanks Tom:
Not that you should care what I think, but I'm a bit torn on this one.
I know where Spamhaus is coming from and believe it performs a necessary service, but I can also see where a merchant would hesitate to closed-loop confirm an address that was provided at point of sale.
Spamhaus: So can I. The team member responsible for the Gap listings had a lengthy email exchange with Al Iverson at ExactTarget, [Gap’s ESP] and he brought up the same issue.
Our initial communication about the problem was poor, and we also needed to consider the issue from more angles than we had. The conclusion was that the problem was not due to sending the initial receipt, but the ongoing email (both transactional and marketing) that was sent to the wrong email address, often not even providing the innocent bystander whose email address was provided in error with any means to opt-out or notify the sender of the error.
We concluded that there were at least two responsible ways of handling the problem. First, companies could simply send the receipt and then not keep the email address. They could mitigate the problem of repeat mistakes (usually by some user who doesn't know their own email address) by including a "this is not me" link so that errors could be reported.
Second, if a company wanted to send follow-up email to an email address gathered at a point of sale, then they could confirm it before adding it to an existing user account or sending further email after the receipt. I don't see any objection to offering some incentive to confirm, such as a discount or free item, if the company wants to increase the odds that the user will confirm.
Magill Report: The other typoed addresses they're presumably sending to will bounce and get removed. The ones they're getting listed for don't bounce because they're Spamhaus addresses, right?
Spamhaus: I wish this were the case. If it were, we wouldn't have an issue. The other typoed email addresses are frequently real email addresses, however, just not the email addresses of the people who provided them. What a typotrap catches are errors in the domain. Mistakes happen just as frequently in the username portion of the email address. When somebody typos a username at a popular and widely-used domain with many users, that typo often goes not to a dead end but to a different user.
Earlier this week I responded to a blog that Laura Atkins [principal, email deliverability firm Word to the Wise] posted about this very issue. So did three other people. Two reported receiving receipts and then marketing email for other individuals to their own email addresses. It hasn't happened to me yet, but my name is not uncommon in the UK and the email address that I use for non-Spamhaus communications is at Yahoo. I would not be at all surprised to find myself receiving some other Tom Mortimer's e-receipts and bulk email at some point.
Magill Report: I'm not planning on a Magillesque rant on this but these listings do seem a little harsh to me, especially now.
Spamhaus: I can see why. I'm not a retailer or marketer, so I tend to forget just how important Christmas is to many companies. At the same time, it makes sense that this issue was going to raise its head most noticeably during the leadup to the Christmas holiday this year. Half of us first got smartphones this year (the tardy half), and so many retailers are now taking advantage of it.