Feb 28, 2009

How to get nabbed by SpamCop for Spamvertizing

Here’s a snippet of a SpamCop report received by our abuse desk:


The backstory is a MailChimp customer sent a campaign to an email list that they collected at an event a long, long time ago (Related: How old lists will kill your deliverability). One of their recipients forgot who the @#%& the sender was, and reported the email to SpamCop.

Forget about the whole issue of whether or not the sender is an innocent victim here, because their list was ‘opt-in.’

What really matters is the sender’s domain name could be tainted, and all their emails (no matter where they send from) could be blocked all over the globe.

Here’s how that happens.

See the "spamvertized web site" links in the screenshot?

Those are some of the domains that SpamCop found in the reported email.

The 3 domains that you see in the screenshot above belong to MailChimp.

The domains listed below them (that you can’t see) are domains that belong to the sender of the email campaign (I’m protecting their privacy here).

There are 3 ways we can get our domains de-listed from SpamCop:

  1. Shut down the sender (the fastest way to get delisted)
  2. Respond to this report, and provide documentation that proves the sender obtained opt-in permission from the recipient, so "as you can see, this is all probably a simple misunderstanding."
  3. It behooves me not to tell you the third way.

One way or another, MailChimp’s Abuse Desk will get our domains delisted from SpamCop. But if we find out that someone has intentionally violated our terms of use, how hard do you think we’ll try to get the sender’s domain names delisted?

If we find out the sender purchased an email list, or they had an old email list and thought MailChimp would be a convenient way to "clean it," we’re not exactly going to go out of our way to help their domains get delisted from SpamCop as we show them out the door.

The point I’m trying to make is that anti-spam systems "remember" domain names that they find inside of reported spam.

So if we end up deciding to shut down this MailChimp customer with extreme prejudice, and they move to some other email service provider (ESP), their domain will still be remembered as an abuser by SpamCop (and probably other email gateways and firewalls around the globe too).

If you have bad email management practices, you can run, but you can’t hide from your own email reputation.

How do you prevent this from happening to your company’s reputation?

  • Never send unwanted email
  • Don’t surprise anybody with emails they wouldn’t expect
  • Don’t assume that people on your list remember who you are
  • Don’t send to old email addresses
  • Collect proof of opt-in, just in case you’re reported to SpamCop. Without it, ESPs have little recourse but to shut down your account.
  • In your emails, always include some kind of reminder as to how you got the recipient’s email address (you’re receiving this email because…"). Bare minimum, put that in your footer. If it’s your first email campaign, consider making it your first paragraph.