Click the comments link on any story to see comments or add your own.
Subscribe to this blog
28 Jan 2012
My mail server has a lot of spamtraps. They come from various sources, but one of the most prolific is bad addresses in personal domains. Several of my users have their own domains, such as my own johnlevine.com, in which they use a handful of addresses. Those addresses tend either to be people's first names, for individual mailboxes, or else the names of companies. If I did business with Verizon (which I do not) I might give them an address like firstname.lastname@example.org. All those domains get mail to lots of other addresses, which is 100% spam.
The made up addresses are largely dictionary attacks, which is obvious when I see sequential spam to barry@, betsy@, and bruno@. Some of them are company addresses that leaked to spammers before the companies went out of business years ago. And some are just mysteries.
My friend Bob Frankston has had his own vanity domain since 1992, which gets a lot of spam to spamtrap addresses. I automatically diagnose and send off abuse reports for a lot of it. Today I got a hand written response to one of them from a database marketing company in Florida. It said, in part:
This email resolves to a master record for [a name and address of a guy in Pennsylvania].
The recorded was added to the client's file on 11/12/2002 per a trip preference card that was sent to the postal address listed above. The trip preference card asks where someone would like to travel, and for their email address to be sent notifications.
If [that address] had changed their mind about receiving emails, we diligently suppress/remove opt outs. However, I do not see that email in our suppression, opt out, or feedback loops.
That wasn't too surprising, I've gotten other mail to that spamtrap from other spammers who gave me the same guy in Pennsylvania, who has no relation to Bob, and it's barely possible that someone could have scribbled something on a postcard that might have been mistranscribed as the spamtrap address, although the name of the alleged subscriber has no visible connection to the spamtrap address either. It's certainly plausible that once someone had the bad info, they sold it to lots of other marketers.
But two things jumped out at me. The first is the date, 2002. They've been spamming this address for ten years. Since it is a spamtrap, it has never responded, never ordered anything, never "opened" a message (ESP-speak for fetching the URLs in the message.) But they keep pumping out the mail anyway. The competent ESPs I know all purge their lists of dead addresses eventually, certainly in a lot less than ten years.
The other is the inability to imagine that every address in their crummy database isn't a live potential customer. This address never "changed their mind" because it doesn't have a mind. It's a spamtrap. It sends no mail, and it won't opt out because it never opted in.
I wish this situation were atypical, but it's not. If the putatively legitimate e-mail marketing industry wanted to understand why they've earned such a poor reputation, it wouldn't be hard to figure out.
Fun fact: Bob's last name happens to be the name of a town in Australia. Someone there has misconfigured one of their systems to send status reports with personal information about their clients to yet another made up address in Bob's domain, which I expect is totally illegal under Australian privacy law. I haven't been able to stop that, either.
My other sites
© 2005-2020 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.