Marketing’s Weekly Dose of the Truth

Ken Magill

About Us

Oops: DMA Spams Spamhaus, Others


10/29/13

By Ken Magill

The U.S. Direct Marketing Association sent an email campaign over the weekend that reportedly hit more than 100 spam traps and email boxes of some of the world’s most prominent anti-spammers.

According to Stephanie Miller, vice president, member communications and engagement for the DMA, the campaign was one massive mistake.

“A promotional message for the DMA Career Center was accidentally sent to the entire DMA database on Saturday,” she said. “Suppression files were used. However, a mistake was made by our team. We take full responsibility for the error. It literally pulled the entire DMA database by accident.”

How some of the addresses ever got into the DMA’s database remains a question.

At least one of the messages reportedly hit anti-spam outfit Spamhaus’s chief executive Steve Linford’s personal address.

Spamhaus maintains a list of what its volunteers deem to be sources of spam. The world’s biggest mail inbox providers use Spamhaus to varying degrees as part of their spam fighting formula. As a result, a listing on Spamhaus can result in severe email deliverability problems.

According to Linford, the message the DMA sent to his personal address tipped him off that the organization may have been sending unsolicited email.

“While Spamhaus SBL [Spamhaus blocklist] listings are based on much wider views of spam than our own mailboxes, our mailboxes can tell us what we should look for,” wrote Linford in a blog post on the incident.

“Once we saw that [the DMA] spam and knew to look, Spamhaus investigators were quickly able to identify many other spamtrap addresses which also received the same spam, both spamtraps that belong to Spamhaus and spamtraps that belong to independent researchers on multiple networks,” Linford continued.

“We also heard from several prominent anti-spam researchers, who also received this same spam at their personal email addresses. Given the number and diversity of the spamtraps that received this spam, we are 100 percent confident that the DMA also spammed a very large number of active user mailboxes.”

As a result, Spamhaus blocklisted the DMA.

So how did anti-spammers’ email addresses and spam traps end up in the DMA’s database at all? Miller said she doesn’t know, but that the DMA is taking steps to remedy the situation.

“Somehow they must have been on some sort of list, and maybe signed up for something or were on an outside list or a legacy list, but they’re certainly not records we mail to on a purposeful basis,” she said. “We are horrified by this mistake. We apologize to the membership, to the industry and anyone on the file. We have already taken actions to retrain our staff. … And we’re taking steps to prevent further errors. … We are adding new business rules to our Yesmail application to prevent any such egregious errors in the future, including adding ‘never-mail’ flags. And we are removing outside legacy data from our database.”

And if spamming Spamhaus wasn’t bad enough, the DMA’s weekend email also landed in some tagged email boxes—addresses created for a specific organizations’ email programs—owned by others in the anti-spam community.

Some people tag email addresses so they can know if the organization they gave it to shares it.

For example, Laura Atkins, principal at email deliverability consultancy Word to the Wise, said she received three of the DMA’s weekend emails.

She said she received one at the email address she set up to subscribe to my old newsletter, Magilla Marketing, which was published by Penton Media, my former employer.

Atkins said she received another at an address she tagged for Chief Marketer magazine—another former Penton publication—and another at a wordtothewise.com address she said she never subscribes to anything.

She said she unsubscribed from Penton’s email program in 2010.

“I've heard from other folks they got mail to addresses that were different from the ones they had given to the DMA,” she wrote in an email exchange. “They also hit a lot of folks outside the U.S. And, well, Spamhaus addresses.”

Miller said some of the email addresses might have been part of postal files the DMA has with email addresses attached the DMA never intended to email, but that she couldn’t know for sure.

Some are understandably speculating that Chief Marketer is selling or sharing email addresses. However, the errant DMA messages to addresses gathered by Penton years ago may be the result of years-old collaborations. Chief Marketer is currently owned by Access Intelligence LLC.

Penton and the DMA used to collaborate on, among other things, promoting the National Center for Database Marketing’s conferences.

It is entirely possible that during these collaborations, Chief Marketer and other Penton subscriber addresses ended up in the DMA’s files.

However, this still means the DMA sent its weekend campaign to at least two addresses collected by Penton that have been inactive for almost four years.

That said, hitting more than 100 spam traps is usually a strong indication of buying names from a source that is scraping addresses on the Internet, which is not illegal under the CAN SPAM Act, but anything but a best practice.

“I can say unequivocally that we don’t buy lists,” said Miller. “But I agree those records should never have been in there.”

What is more, unsolicited commercial email is outlawed in the United Kingdom, so by emailing Linford, the DMA broke U.K. law.

This is not the first time the DMA has received a Spamhaus listing.

The organization was blocklisted multiple times in 2011, according to sources.

Miller published a blog post yesterday on the DMA’s website outlining the steps the DMA is taking to ensure what happened over the weekend doesn’t happen again.

 

Comments

Show: Newest | Oldest

Post a Comment
Your Name:
Subject:
Comments:
Verification:
Please type the letters in the image above

Terms: Feel free to be as big a jerk as you want, but don't attack anyone other than me personally. And don't criticize people or companies other than me anonymously. Got something crappy to say? Say it under your real name. Anonymous potshots and personal attacks aimed at me, however, are fine.

Posted by: Naivety
Date: 2013-11-02 00:14:57
Subject:

Such a sweet opportunity for spamhaus to do some propaganda.
Posted by: Cecil Adams
Date: 2013-10-31 10:25:15
Subject: Spamhaus News Article link

http://www.spamhaus.org/news/article/703/the-dma-kicks-spam-up-a-notch
Posted by: Tom Mortimer
Date: 2013-10-29 20:56:29
Subject:

Good blog, Ken. I thought I'd add a bit of late-breaking news.

The DMA and Yesmail provided a rather thorough and (we think) accurate analysis of what caused Saturday's spam run, and proposed a series of fixes for the immediate issue and to prevent the same thing from occurring again. Both organizations also indicated that they are permanently eschewing use of third-party lists (including purchased and email append lists).

Spamhaus now believes that the DMA and Yesmail have fixed the problems that led to the spam and that they won't be doing this again, so the SBLs for the DMA's IPs were closed about a half hour ago.
Posted by: Steve
Date: 2013-10-29 19:14:39
Subject: So, about that internal DMA document...

The last time that I recall the DMA spamming through YesMail, getting YesMail SBLed and attempting to deal with their issues you mentioned that you'd acquired an internal document investigating the things they did wrong. Did they learn anything from that experience?

http://www.magillreport.com/Shocker-DMA-Was-Blacklisted-by-Spamhaus/
Posted by: Steve
Date: 2013-10-29 17:46:48
Subject: Non-existent addresses

I'm told there were also delivery attempts (from the same dedicated IPs the DMA spam came from) to email addresses that do not exist and which have never existed.

So it looks like it was sent to a mix of purchased, harvested, and simply fictional addresses (as well as, presumably, some legitimate ones).

I do wonder why, if it has always been against DMA policies to mail third party lists why they ever had them. You can't just say "legacy" and get a free pass on contradicting yourself.