Don't Get Killed by 'Spam Trap Poisoning'

If your company sends out an e-mail newsletter to customers, you may find yourself suffering from 'spam trap poisoning.' Executive Tech columnist Brian Livingston explains what you can do about it.
If your company sends out an e-mail newsletter to customers, you may find yourself suffering from a new problem I call "spam trap poisoning."

Spam traps are e-mail addresses that antispam groups post on the Web but don't use for sending e-mail. Instead, these addresses lie in wait until they're found by "harvester" programs. These harvesters are key tools for spammers: they scan millions of Web pages, scooping up every e-mail address that's visible.

If a spam trap receives any e-mail, therefore, antispam groups assume the message must be spam. This can automatically put the IP address on a "blocklist" that keeps the sender's messages from getting through to some mail servers.

Unfortunately, spam traps are starting to bite legitimate businesses. I'll explain how and what you can do about it.

How Spammers Can Poison Spam Traps

I discussed spam trap poisoning with Julian Haight, the director of a controversial blocklist called SpamCop.net. In an interview, which formed the basis for my column last week on SpamCop, Haight said he's reduced his reliance on human spam complainers and has dramatically increased his use of spam traps. "80 to 90 percent" of the reports he receives are now generated by such bots, he explains.

Spammers, however, are learning how to discover which e-mail addresses are spam traps. How can this injure your company's reputation and e-mail deliverability?

Spam Traps Lead To Swift Blocklisting. Because spam-trap addresses can react immediately to any e-mail they receive, as little as a single message can add a sender to a blocklist within minutes. Spammers don't much care about one individual source of spam being blocked, of course. The top professionals in the spam business use a massive network of hundreds of thousands of PCs they've infected with Trojan horse programs that actually send the spam. Some infected PCs may be blocked, but spammers have many others that aren't.

A Process of Elimination. Because the biggest pros send millions of junk e-mails a day, they can segment their lists and send messages through different computers to try to identify spam traps. If one sender was added to a particular blocklist at 10:00 a.m., for example, it was probably due to a spam-trap address that received a piece of spam after 9:30 that same morning.

Poisoning the Spam Traps and Your Company's Good Name. By watching mailings that are sent out on subsequent days, spammers can soon isolate a few addresses that are almost certainly spam traps. The spammers then sign those addresses up for legitimate e-mail newsletters to ruin the effectiveness of the spam traps. Now the addresses are receiving legitimate e-mail, not just spam.

Reliance on Spam Traps Backfires on Blocklists. To best "poison" the spam traps, spammers use the newsletters of the most respectable companies possible. When mail servers that use blocklists start to reject mail from these large, respected brand names, the blocking services lose credibility. Many end users had wanted to receive those company's mailings and blame the blocklists for being wildly inaccurate.

If your company's newsletter is used in these exploits, the pain can be severe. Your routine e-mail messages can suddenly start to bounce — or simply disappear, deleted forever by mail servers that blindly relied on the blocklists.

Choose One: A Terrible Problem or a Horrible Problem

Haight is adamant that companies can avoid damage to their reputations by requiring all newsletter subscribers to "double opt-in" as opposed to "single opt-in." He also considers double opt-in to be a requirement because it prevents one person from signing up another person's e-mail address to an unwanted list.

Let's take a closer look at what single and double opt-in mean:

Single Opt-In. A single opt-in newsletter allow customers to sign up by entering their e-mail address in a Web form and clicking "Subscribe." The publisher usually sends an immediate message welcoming subscribers and telling them how to unsubscribe if a mistake has been made.

Double Opt-In. This method, also called "confirmed opt-in" or "verified opt-in," doesn't initially send any newsletter to customers who subscribe. Instead, the subscribers receive a message saying they must "verify" their e-mail address. The message usually instructs the recipient to click a hyperlink or generate some kind of e-mail response.

There's a big problem with double opt-in, however. The newsletters of most Fortune 500 companies don't require it, because a huge number of customers simply don't understand why they have to verify their address — "I just gave it to you, it's valid, you idiots." Other consumers don't respond because they've been told never to follow any instructions that an e-mail requests, as a precaution against "phishing."

"I've seen the rate as low as 40% confirmation," says Paul Myers, publisher and editor of TalkBiz News, a newsletter for business owners. His own publication, which uses double opt-in, has a very targeted audience and gets almost 100% confirmation, he says. But he doesn't believe double opt-in should be a requirement for every company. "There shouldn't be any reason why people miss the mail they want because they didn't understand the confirmation process — or that one was required."

The Battle Over Opting-In

Anne Mitchell is CEO of ISIPP (the Institute for Spam and Internet Public Policy), a whitelist organization that works with Internet service providers and spam filtering companies. "The push for double opt-in was really by the antispammers, not the ISPs," she says. "They [the ISPs] don't care how you build your list, as long as you don't send spam."

ISIPP maintains online scoring systems that are used by SpamBouncer and other antispam filters. One ISIPP scoring formula for trusted senders gives a maximum of 90 points to those who require double opt-in. But single opt-in newsletters can still achieve 80 points. The difference is small — because single opt-in newsletters aren't spam.

As far as the percentage of cases in which one person is subscribed by another person to a single opt-in newsletter, the number is "miniscule," Mitchell says.

How Many Mistakes Are Made, and Who Makes Them?

AWeber Communications is one of the world's largest e-mail service providers. Literally thousands of different customers use the firm's technology to send opt-in e-mail newsletters, according to company CEO Tom Kulzer.

AWeber requires the double opt-in method for new subscribers to get its own newsletter, Kulzer says. But his firm allows its individual publishers to choose to use either double opt-in or single opt-in. "More of our customers use single opt-in, fewer use double opt-in," he explained in a telephone interview.

Confirmation rates for the double opt-in newsletters he's monitored range from "nearly 100%" to "as low as 20%." Meanwhile, cases in which an innocent person has been signed up to a single opt-in newsletter without consent are very rare, in his experience. "We see that maybe once a month," Kulzer says.

"Usually the only time we see problems with somebody maliciously typing in someone else's address is vehement antispammers who are signing people up to a list," he continues. "When we track that down, the newsletter's been sent to a 'postmaster' account that only these [extreme] antispammers would know about."

Conclusion

You're caught between two awful choices. If you require a double opt-in policy for people to subscribe to your company's newsletter, you may lose half of more of the people who want to sign up for it. That's bad customer service. On the other hand, if you use single opt-in, as most companies do, anyone can add spam-trap addresses to your database of subscribers. Your company could suffer e-mail deliverability problems for days after every issue of your publication goes out — activating the blocklists each time.

The answer is to carefully monitor which blocklists point to or don't point to the IP addresses that your company uses to send mail. OpenRBL.org is one free service that allows you to enter any IP address or domain name to see whether it's on any of 30-some real-time blocklists.

If your company does get whacked by a blocklist for a few hours or days after your newsletter goes out, use some of the same tricks that spammers use to identify spam traps. Segment your e-mail list into 24 groups at random. Send mail to each group, one hour apart throughout the day. If one group triggers a blocklist, segment it even further until you've isolated the potential problem addresses.

Finally, consider dropping subscribers who, according to your server logs, haven't clicked a hyperlink in months — they could be robots disguised as ordinary newsletter readers.

Brian Livingston is the editor of Brian's Buzz on Windows and the co-author of "Windows Me Secrets" and nine other books. Send story ideas to him via his contact page.






0 Comments (click to add your comment)
Comment and Contribute

 


(Maximum characters: 1200). You have characters left.