Don't Get Killed by 'Spam Trap Poisoning'

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

If your company sends out an e-mail newsletter to customers, you may find
yourself suffering from a new problem I call “spam trap poisoning.”

Spam traps are e-mail addresses that antispam groups post on the Web
but don’t use for sending e-mail. Instead, these addresses lie in wait until
they’re found by
“harvester” programs. These harvesters are key tools for
spammers: they scan millions of Web pages, scooping up every e-mail address
that’s visible.

If a spam trap receives any e-mail, therefore, antispam groups assume the
message must be spam. This can automatically put the IP address on a “blocklist”
that keeps the sender’s messages from getting through to some mail servers.

Unfortunately, spam traps are starting to bite legitimate businesses. I’ll
explain how and what you can do about it.

How Spammers Can Poison Spam Traps

I discussed spam trap poisoning with Julian Haight, the director of a
controversial blocklist called SpamCop.net. In an interview, which formed the
basis for my column
last week on SpamCop, Haight said he’s reduced his reliance
on human spam complainers and has dramatically increased his use of spam traps.
“80 to 90 percent” of the reports he receives are now generated by such bots,
he explains.

Spammers, however, are learning how to discover which e-mail addresses are spam
traps. How can this injure your company’s reputation and e-mail deliverability?

• Spam Traps Lead To Swift Blocklisting.
Because spam-trap addresses can react immediately to any e-mail they
receive, as little as a single message can add a sender to a blocklist
within minutes. Spammers don’t much care about one individual source of spam
being blocked, of course. The top professionals in the spam business use
a massive network of hundreds of thousands of PCs they’ve
infected with Trojan horse programs that actually send
the spam. Some infected PCs may be blocked, but spammers have many others that
aren’t.

• A Process of Elimination.
Because the biggest pros send millions of junk e-mails a day, they can segment
their lists and send messages through different computers to try to identify
spam traps. If one sender was added to a particular blocklist at 10:00 a.m.,
for example, it was probably due to a spam-trap address that received a piece
of spam after 9:30 that same morning.

• Poisoning the Spam Traps and Your Company’s Good Name.
By watching mailings that are sent out on subsequent days, spammers can
soon isolate a few addresses that are almost certainly spam traps.
The spammers then sign those addresses up for legitimate e-mail newsletters
to ruin the effectiveness of the spam traps. Now the addresses are receiving
legitimate e-mail, not just spam.

• Reliance on Spam Traps Backfires on Blocklists.
To best “poison” the spam traps, spammers use the newsletters of the most
respectable companies possible. When mail servers that use blocklists start to
reject mail from these large, respected brand names, the blocking services lose
credibility. Many end users had wanted to receive those company’s mailings
and blame the blocklists for being wildly inaccurate.

If your company’s newsletter is used in these exploits, the pain can be
severe. Your routine e-mail messages can suddenly start to bounce — or
simply disappear, deleted forever by mail servers that blindly relied on
the blocklists.

Choose One: A Terrible Problem or a Horrible Problem

Haight is adamant that companies can avoid damage to their reputations by
requiring all newsletter subscribers to “double opt-in” as opposed to
“single opt-in.” He also considers double opt-in to be a requirement because it
prevents one person from signing up another person’s e-mail address to an
unwanted list.

Let’s take a closer look at what single and double opt-in mean:

• Single Opt-In. A single opt-in newsletter allow customers to
sign up by entering their e-mail address in a Web form and clicking “Subscribe.”
The publisher usually sends an immediate message welcoming subscribers and
telling them how to unsubscribe if a mistake has been made.

• Double Opt-In. This method, also called “confirmed opt-in” or
“verified opt-in,” doesn’t initially send any newsletter to customers who
subscribe. Instead, the subscribers receive a message saying they must
“verify” their e-mail address. The message usually instructs the recipient to
click a hyperlink or generate some kind of e-mail response.

There’s a big problem with double opt-in, however. The newsletters of most
Fortune 500 companies don’t require it, because a huge number of customers
simply don’t understand why they have to verify their address —
“I just gave it to you, it’s valid, you idiots.” Other consumers don’t respond
because they’ve been told never to follow any instructions that an e-mail
requests, as a precaution against
“phishing.”

“I’ve seen the rate as low as 40% confirmation,” says Paul Myers, publisher
and editor of
TalkBiz News, a
newsletter for business owners. His own publication, which uses double opt-in,
has a very targeted audience and gets almost 100% confirmation, he says. But he
doesn’t believe double opt-in should be a requirement for every company. “There
shouldn’t be any reason why people miss the mail they want because they
didn’t understand the confirmation process — or that one was required.”

The Battle Over Opting-In

Anne Mitchell is CEO of
ISIPP (the Institute for
Spam and Internet Public Policy), a whitelist organization that works with
Internet service providers and spam filtering companies. “The push for
double opt-in was really by the antispammers, not the ISPs,” she says. “They
[the ISPs] don’t care how you build your list, as long as you don’t send spam.”

ISIPP maintains online scoring systems that are used by
SpamBouncer and
other antispam filters. One ISIPP scoring
formula
for trusted senders gives a maximum of 90 points to those who require double
opt-in. But single opt-in newsletters can still achieve 80 points. The
difference is small — because single opt-in newsletters aren’t spam.

As far as the percentage of cases in which one person is subscribed by another
person to a single opt-in newsletter, the number is “miniscule,” Mitchell says.

How Many Mistakes Are Made, and Who Makes Them?

AWeber
Communications is one of the world’s largest e-mail service providers.
Literally thousands of different customers use the firm’s technology to
send opt-in e-mail newsletters, according to company CEO Tom Kulzer.

AWeber requires the double opt-in method for new subscribers to get its own
newsletter, Kulzer says. But his firm allows its individual publishers to
choose to use either double opt-in or single opt-in. “More of our
customers use single opt-in, fewer use double opt-in,” he explained in a
telephone interview.

Confirmation rates for the double opt-in newsletters he’s monitored range
from “nearly 100%” to “as low as 20%.” Meanwhile, cases in which an innocent
person has been signed up to a single opt-in newsletter without consent are
very rare, in his experience. “We see that maybe once a month,” Kulzer says.

“Usually the only time we see problems with somebody maliciously typing in
someone else’s address is vehement antispammers who are signing people up
to a list,” he continues. “When we track that down, the newsletter’s been sent
to a ‘postmaster’ account that only these [extreme] antispammers would
know about.”

Conclusion

You’re caught between two awful choices. If you require a double opt-in
policy for people to subscribe to your company’s newsletter, you may lose
half of more of the people who want to sign up for it. That’s bad customer
service. On the other hand, if you use single opt-in, as most companies do,
anyone can add spam-trap addresses to your database of subscribers. Your
company could suffer e-mail deliverability problems for days after every
issue of your publication goes out — activating the blocklists each time.

The answer is to carefully monitor which blocklists point to or don’t point to
the IP addresses that your company uses to send mail.
OpenRBL.org is one free
service that allows you to enter any IP address or domain name to see
whether it’s on any of 30-some real-time blocklists.

If your company does get whacked by a blocklist for a few hours or days after
your newsletter goes out, use some of the same tricks that spammers use to
identify spam traps. Segment your e-mail list into 24 groups at random. Send
mail to each group, one hour apart throughout the day. If one group triggers
a blocklist, segment it even further until you’ve isolated the potential
problem addresses.

Finally, consider dropping subscribers who, according to your server logs,
haven’t clicked a hyperlink in months — they could be robots disguised
as ordinary newsletter readers.

Brian Livingston is the editor of Brian’s
Buzz on Windows and the co-author of “Windows Me Secrets” and nine other
books. Send story ideas to him via his
contact page.