Jun 25, 2013

Where Spam Traps Come From and How They Work

Regardless of how spam is technically defined, we can probably agree it’s unwanted email, and we don’t like it. (Unless you send spam, and then you can go TOS yourself.)

In the fight against spam, some organizations use spam traps to find and block spammers. A spam trap is an email address that’s not actively used, but is actively monitored. If a spam trap receives an email, something is rotten in Denmark, because that email address never opted in to receive emails.

There are many, many spam traps out there, and they’re being managed by everyone from big anti-spam organizations like Spamhaus and SURBL, to security companies like TrendMicro and McAfee, to nation-wide ISPs and corporate email servers. As such, the proliferation and proven accuracy of spam traps makes it impossible to ignore alerts when one of our users hits a trap. Our compliance team reaches out to help, but this often evokes the question, “How did a spam trap get on my list?”

There are different types of spam traps, and they have their own special ways of worming their ways onto your list. Laura Atkins of Word to the Wise compiled an extensive guide to types of spam traps, and below we’ll look at common scenarios that can lead your list down some dangerous paths.

The typo

Mary sells paintings of Ronald Reagan eating a hot dog at festivals, and customers sign up for her mailing list by quickly writing an email address on a sheet of paper, which Mary’s intern types into a computer. You can see where things might go wrong here.

Perhaps the customer’s email address is, “blahblah@majorisp.com,” which is mistyped as, “blahblah@magorisp.com” by accident. Unfortunately, magorisp.com is a spam trap and reports Mary’s emails as spam since, technically, it didn’t opt-in.

Similar spam traps include fake addresses, like “sadafdf@sdfdsdsa.com,” or “my@email.com,” which are often entered into online forms and shopping carts that don’t require email confirmation.

The expired

John works for Generitech and signs up for a newsletter using his business email address. Everything is swell, until John is fired for setting the bathroom on fire. Bad John!

Generitech promptly deletes John’s email address, but years later, the company becomes so fed up with spam they reactivate his email as a spam trap. Since John’s emails bounced for a long time, Generitech assumes anyone sending legitimate emails to John back in the day would have long since removed him from their list. Only spammers who never clean or prune their list would still send to a long-dead email address.

Some anti-spam organizations will even purchase expired domain names and treat all incoming email as spam. When a domain expires, we treat the rejected emails as soft bounces in case the domain is experiencing temporary difficulties. (They forgot to pay the bill, for instance.) Spam traps usually wait several years before activating expired domains, so it’s okay to send a few emails to a bouncing domain in case the original owners reclaim it.

The purchased

Emily believes she has the greatest product in the whole wide world, and everyone should know about it. But only a few very interested people sign up for her email list. Poor Emily. So she goes online and purchases a list of email addresses, because they are surely all valid addresses for people interested in her amazing product.

Emily’s account is shut down. The end.

(Okay, not quite the end. We’ll let Emily stay if she removes the purchased list and promises to not ever do that again. We’re watching you, Emily.)

There are many varieties of spam traps in this category, including scraped, harvested, and seeded traps. Each is technically distinct in its own way, but they’ll only end up on your list if you purchase them, receive them from another business, or engage in some sort of co-registration scheme. Basically, they’ll never opt-in to receive your emails.

How bad are spam traps?

Let’s say you end up with one bad address on your list. So what?

Ramifications for hitting spam traps can range in severity, depending on what kind you hit, the organization running the trap, and how often you hit it. On the extreme side, an ISP or security organization can block the IP address (or entire range of IP addresses) from which the emails are coming. This would affect a large portion of MailChimp users, which is why we take complaints and notifications of spam traps very seriously.

"But," you might be asking, "can’t I just grow my list and drown out that spam trap? One spam trap on a list of 5 million isn’t so bad."

The organization running the spam trap doesn’t know if you send to 5 recipients or 5 million recipients, and they don’t care. Spam traps are a symptom of a problem, a sign for improvement in list-collection practices. If you’re hitting a spam trap, there’s a good chance you’re also sending email to real people who did not opt-in. It’s possible magorisp.com is an actual company, or Generitech hires another John. Sending email to these people is spam, and none of us wants to send spam, right?

That’s why the solution isn’t just finding and removing the trap from your list. First off, anti-spam organizations make finding the actual spam trap address very difficult. Second, it’s important to make sure the entire list is clean so those real people will receive a little less spam, which is something we can all appreciate.

How can I keep my list free of spam traps?

Whether you’ve hit a spam trap or not, it’s always a good idea to maintain a clean list. Every 6 months, give your list a good pruning by removing old, disengaged subscribers. Most spam traps will simply look unengaged with low star ratings and no opens.

We also automatically clean bounced emails from your list, so you don’t need to worry about those expired emails or domains. But be careful when moving lists between email service providers, and remember to always move the unsubscribed and cleaned subscribers as well, so they don’t end up back on the active list.

The best advice we can offer is using double opt-in confirmation for list signup. It’s the only way to ensure the correct email address is added to the list, and the subscriber genuinely wants to receive emails from you.

Pro tip: Check out Chimpadeedoo, MailChimp’s free mobile app that helps you collect typo-free email addresses offline, with double opt-in confirmation. (And we just released an Android version!)

Oh, and don’t ever purchase a list. Seriously.