So Mr/Ms Marketeer, you have everything in order.  You have a 400k address list, you’ve hired an ESP to make sure all the basics are in order, you’re authenticated and CAN-SPAM’d up to the eyeballs, and it’s time to market but … WHAM! your messages end up hitting the spam folder.

Sound familiar?

Surprised?

I’m not.   I didn’t say the list contained recent customers who love you enough to entrust your employer with their name, postal address, email address, date of birth, credit card number, inside leg measurement and gave your company their explicit permission did I?  I’d also go as far as to suggest that permission in one form or another is actually the root cause of most deliverability issues.

Since spam reports or complaints are a hugely important part of the reputation equation for every mailbox provider these days, I’ve some advice about some of the most common issues we’ve seen and learned from over the years.  These are the sort of problems  that are guaranteed to upset your email recipients and trip you at the first hurdle.

Before we start, I would like you to keep in mind, that for many email recipients, a “spam report” is a psychological pacifier, used when they want to resolve a situation in their inbox, a situation they genuinely believe the sender is contributing to.

Permission:

The key to creating the very cleanest mailing list is only ever using genuine self sourced, confirmed permission recipients.   Even the big senders get this wrong and it really is the simplest thing to get right. Why? Well it’s generally <Insert some excuse about 3rd parties here> reasons, so let’s set the record straight right now:  Editing your privacy policy is not an opt-in, no matter how legal it is. It’s a spirit vs letter of legality issue and is tantamount to tricking permission.  The same goes for co-registration, opt-in list leasing, marketing data partnerships and appending. So;

What sort of permission does your company really have?

How accurate is your data?

How current is your data?

How does the recipient actually know you?

My acid-test of permission is ” Did I give permission to this Company ” and  if the answer is anything but a simple “Yes” then I can’t say I blame anyone for hitting the report spam button and casting an email to the spam folder.  Your job is to ensure your customers make that familiarity connection when they read every single email.   If you chose make your opt-in blatantly clear and actually an obvious conscious decision during the customer sign-up experience your recipients are more likely to remember opting in.  To this end your recipient data should include data on exactly how the recipient opted in, be it a purchase option, website subscription request, an affiliate referral or entering a competition. If you’re not doing this then you’ll have problems back-tracking issues and segregating channel segments that cause an abnormal volume of complaints.

Mailing old lists:

Your recipients are likely to be a little forgetful, so despite your amazing data to the contrary, recipients will often just forgot they subscribed if you haven’t been mailing them recently. If your brand has slipped over their familiarity event-horizon they will reach for the “Report Spam” button. I’m surprised more legitimate marketers don’t remind users how and when they subscribed if they have a direct relationship.

Speaking of old lists…

List Sourcing:

The Ultimate E-Mail List!

↖ This is how you shouldn’t do it ↗

If you care about your companies virtual  ”sleaze rating”,  Never ever buy,  rent, borrow, swap, steal, scrape or otherwise acquire lists to supplement your marketing.  There are lots of brokers about offering permission granted lists and the recipients are besieged with spam, so is it any surprise they are probably a little more belligerent than most and complain a lot?  This is all because the lists are simply sold to anyone and everyone.

Don’t think this won’t happen to you either.  Part of the inspiration of this post is that I recently spoke to some great guys from an absolute powerhouse in the email space about an over-enthusiastic sender of theirs.  The reason readers should not to be complacent is that this victim weren’t an ESP, they were a retail giant who happen to send a modicum of marketing on behalf of others and somehow a bad list found it’s way onto their platform, and, well, a “WHAM!” happened.  My team had them back on the path of goodness by return, but it took non-trivial auditing time to investigate.

Personalise:

You can use some basic psychology to avoid some complaints by always addressing a recipient directly and properly. Addressing in this context is more than gender or name.  Here are some pretty poor examples:

• Dear shopper or Hi Subscriber, - You may as well say “Please report this as spam.”.
• YOUR EMAIL ID.HAS WON – Again, very generic greetings, but this time with a “too good to be true” hook.
• To: “jdoe@example.com” <jdoe@example.com> –  You don’t have a real name? How can you personalise?
• Sir, Will you / <Politician surname> Supporters!  We need … – Nothing says “report me” if you get the recipients gender or facts like political allegiance incorrect.

Just take a look how the “big guns” address their mail.  ”Hi Dave,”, “David”, “Mr Smith,”.  Using personalization appropriately is much more appealing to the recipient and endears the sender to them somewhat.  Here endeth today’s psychology lesson.

The emergency exits are…                           [Report Spam]

The cognitive aspect of a spam complaint is an interesting beast.  When a recipient makes the decision to report spam they are trying to alleviate a situation in their inbox that they completely believe is being caused by your mail. It doesn’t matter if they bought from you last week, or if they opened a mail from you and rendered the images 59 days ago, they genuinely want you to stop.  So please, for the love of the inbox, process every reply, every feedback loop and always put an unsubscribe button above the fold.  You don’t want unhappy subscribers on your list so by helping them to help themselves you will reduce complaints. So ask yourself before you send again, where is your emergency exit sign?

Another quick true story:  I spoke to an ”ESP” this morning that was re-selling a “technology partners” services (those of another ESP) to a 3rd party organization and had a pretty poor feedback situation going on with some recipients complaining very frequently over a continued period and their persistent sending to spam traps was borderline harassment.   After a lengthy discussion this “ESP” (and I use the term only because they did)  blamed their lack of feedback loop data on their technology provider.  They are clearly demonstrating neglectful list husbandry and this was obviously reflected in the feedback we see from the Cloudmark community.   Who’s to blame for the reputation of a poor sender in this scenario? Well it certainly isn’t us.  Where did their explicit permission come from?

Pick your ESP with care:

There are 3 rules of thumb with ESPs :

1. ESP’s vary in quality.
2. ESP’s are great at self marketing.  
3. Goto 1.

ESP’s are run by the successful marketeers, so choose one that’s going to work hard to help you the most no matter how much it hurts is the key.  Yes, they should audit your best practices thoroughly, if they don’t you probably chose the wrong ESP.  Yes, if you have sufficient data on your clientele they will probably advise you as part of their stewardship process to remove 20%, 30% or even 50+% of your list before you send.  Is that so bad? If you think about it they are trying to save your money and reputation.  One final thing to remember is that the term “blast” has never in my experience been a good sign.

Quality not Quantity:

Everybody knows (hopefully by now) that over-mailing a list is hugely damaging and that the key to engagement is quality not quantity.  The overall mantra to this tale is that high quality mail in general does not generate anywhere near the amount of poor feedback.  I’m not just talking about quality content, I’m talking about recipients and senders too.  If you can create a little desire or passion in your creative and your permission is in good order, you’re almost certainly on the right path.

TL;DR; Cheating on permission is “campaign suicide”.

Slashdot had an article earlier this month about a popular WordPress plugin being used to send spam. In this case, the attack was very unusual in that the plugin code itself was modified by a rogue developer to insert spam links in generated content. This plugin was then available for download via the official WordPress plugins directory.

Attacking hosting software is so valuable to spammers as it allows them to piggyback on the positive reputation earned by a legitimate website, in contrast to the neutral or even possibly negative reputation that they would have with a newly registered domain. It’s usually a lot easier for a spammer to steal and ruin someone’s hard-earned positive reputation than to earn a positive reputation on their own.

Earlier this year we discussed how wordpress-powered websites were being increasingly targeted by spammers. We’re all familiar with techniques such as exploiting software vulnerabilities, attempting to guess/crack/reset passwords, etc. The Slashdot article points out that even if you do your best to keep software up to date and manage your passwords, the software itself might be an attack vector. In horror movie cliche terms, sometimes the phone call really is coming from inside the house!

With the close of 2013’s first quarter, we’ve released our Q1 2013 Global eMessaging Threat Report detailing a myriad of SMS and IP spam statistics, trends and observations from the past three months. Paramount among them is a set of allegations leveled by the Federal Trade Commission (FTC). These filings contended that the defendants were responsible for collectively sending more than 180 million gift card themed scam SMS messages.

Subscriber reports to the GSMA Spam Reporting Service, 7726, shed a clear light on the potency of this regulatory move as daily volume rates for these scams plummeted. Below is a daily tracker illustrating the impact of the FTC regulations on the daily volume of SMS gift card scams. Earlier in the quarter, we were seeing gift card scam volumes peaking above 50% of all reports in a given day. Soon after the FTC announcement, the same scams plummeted below 10% of each day’s volume.  A similar trend was seen more macroscopically. In 2012, these scams constituted 44% of all SMS spam reported during the year. This has fallen dramatically in 2013 with only 6% of the March’s volume being gift card scams.

We saw growth in other attack categories over this quarter.  The figure below shows Job Listing Scam’s monthly volume share rose by 400% over the quarter. Similarly, Adult Content Spam doubled its share from 8% to 16%.

Meanwhile, the SpamSoldier Android botnet and other older botnets were linked to several Panamanian services. These services provided registration mechanisms for rogue online pharmacies, domains for the SpamSoldier botnet, and anonymous hosting for botnet Command and Control servers. More details about these Panamanian services along with further analysis of SMS and email spam trends in Q1 2013, can be found in our quarterly report.

When you get a spam SMS message you should forward it to 7726 (that’s S-P-A-M on your phone keypad).

Many mobile carriers around the world are moving to the 7726 short code as a standard way to report text message spam, although in some countries they use a different short code, such as in France where the code is 33700.  If you don’t get the expected response from 7726, then check with your mobile carriers for the best way to send in spam reports.

If you check out the blog posts from Monday (iPhone) and Tuesday (Android), you can see that forward a spam to a short code requires several steps.

So in addition to using 7726, Verizon Wireless customers in the US, who have Android phones, have another, slightly easier spam reporting option.  Verizon offers a Messaging App called Verizon Messages  that contains a Report Spam button.  Here’s how it works.

1. When you receive a spam message, tap on the Menu button

2. To report the message as spam, tap on Report Spam

3. Verizon Messages will check that you’re sure you want to report the message as spam, just so you don’t accidentally report your friends as spam.  If it it’s a real spam message then tap on Report Spam to confirm.

That’s it.  All done!

You can see that reporting spam using Verizon Messages is much easier than the multiple steps required to report spam using forwarding on your iPhone or Android.  Hopefully in the future other mobile carriers will do something similar to Verizon Wireless and offer similar easy ways to report text message spam.

Verizon Messages is available on the Google Play: https://play.google.com/store/apps/details?id=com.verizon.messaging.vzmsgs 

When you get a spam SMS message you should forward it to 7726 (that’s S-P-A-M on your phone keypad).  This reports the spam message to your mobile carrier so that they can take action against the spammer.

Many mobile carriers around the world are moving to the 7726 short code as a standard way to report text message spam, although in some countries they use a different short code, such as in France where the code is 33700.  If you don’t get the expected response from 7726, then check with your mobile carrier for the best way to send in spam reports.

Today we’ll show you how to forward the spam to 7726 on an Android mobile phone.  On Monday, we showed you how to report spam on an iPhone and tomorrow we’ll show you how to do it using Verizon Messages (Verizon’s Messaging app) which has a convenient ”Report Spam” button.

How to Report Spam on an Android Phone

1. First make a note of the phone number the spam text came from. You’ll need it later.

2. To Forward the spam message, tap on the Menu button of your Android and then tap Forward

3. Then select the spam message you want to forward by tapping on it.

4. Now enter 7726 as the number you want to forward the message to, and tap Send. 

5. In a few seconds you should get a reply from your carrier asking for the sending number of the spam.  Below you can see a message from Sprint:

6. Now enter the number of the spammer (that you made a note of earlier in step 1) and tap Send.  This will let the carrier know who sent the spam to you so that they can take action against the spammer.

Also checkout how to report spam on an iPhone, and look out for tomorrow’s post on  how to report spam using Verizon Messages which is available for Android on the Google Play Store ( https://play.google.com/store/apps/details?id=com.verizon.messaging.vzmsgs )

When you get a spam SMS message you should forward it to 7726 (that’s S-P-A-M on your phone keypad).  This reports the spam message to your mobile carrier so that they can take action against the spammer.

Many mobile carriers around the world are moving to the 7726 short code as a standard way to report text message spam, although in some countries they use a different short code, such as in France where the code is 33700.  If you don’t get the expected response from 7726, then check with your mobile carrier for the best way to send in spam reports.

Today we’ll show you how to forward the spam to 7726 on an iPhone.  Over the next few days we’ll show you how to do it on an Android phone and also how to do it using Verizon Messages (Verizon’s Messaging app) which has a convenient ”Report Spam” button.

How to Report Spam on an iPhone

1. First make a note of the phone number the spam text came from. You’ll need it later.

2. Now open the message and tap on the Edit button

3. Select the spam message by tapping on the radio button next to the message.

4. Forward the selected message by tapping the Forward button.

5. Then Enter 7726 in the To: field and tap Send to report the spam message. 

6. In a few seconds you should get a reply from your carrier asking for the sending number of the spam.  The one below is from T-Mobile:

7. Now enter the spammer’s number (that you made a note of in step 1 above) in the Text Message section, and then tap Send.  This will let the carrier know who sent the spam to you so that they can take action against the spammer.

And look out for our upcoming posts on how to report a text spam from your Android and how to report spam using Verizon Messages which is available for Android on the Google Play Store ( https://play.google.com/store/apps/details?id=com.verizon.messaging.vzmsgs )

Today the Federal Trade Commission (FTC) announced that they have charged 29 defendants with collectively sending 180 million unwanted text messages.

The text messages advertised “Free” Gift cards or prizes from major retailers such as Best Buy, Walmart and Target.  However, consumers who clicked on the links contained in the text messages were required to provide personal information and to sign up for other “offers” in order to be eligible and then also had to sign up other people for these offers.

Because the consumers who were receiving these text messages had not signed up to receive these messages, many people reported the messages as spam to the 7726 short code which is offered by the major US mobile carriers through the GSMA Spam Reporting Service, powered by Cloudmark.

7726 data highlights that the FTC has chosen to strategically go after the largest source of SMS spam in the US.  Gift Card spam has consistently been the largest category of SMS spam complaints in the US over the course of 2012.  For five months of the year it was over 50% of the volume being reported to 7726 and for 11 of the 12 months it was higher than any other category.  The only month where it dipped was October when there was a spike in bank phishing text messages.  The graph below shows the monthly percentage of spam reports which were gift card messages.

In contrast during February this year, there was a dramatic drop in Gift Card spam that started around Feb 20th.  We can’t know for sure if the drop off was caused by the FTC’s action, but it is a significant drop from being regularly over 50% of the reports, to under 10% of the reports for the last 3 days.  It will be interesting to watch the numbers going forward to see if they stay down, or whether the spammers will find new ways to send the spam or whether new spammers will take the place of the old ones, in order to keep traffic going to these sites.

To view the data another way, here are the main types of spam attacks reported during 2012.  Receive a Gift Card spam was 44% of all the spam reported in 2012:

In contrast in the first few days of March 2013, Receive a Gift Card spam has only been 7% of all the spam reported:

The agility of the FTC in going after the major source of SMS spam is impressive.

Spam that advertises free gift cards isn’t new. Theses posts from 2011 (Spam or Not Spam) and last year (Olympic gift cards with a shot of Starbucks) highlight gift card spam being sent to email recipients.  Because the spammers can get paid by the operators of the gift card websites, their incentive to send spam and get users to the website is high and they will look for the easiest, cheapest and most effective way to advertise and send traffic to their website, whether that’s via email, SMS or social networking.

One tactic we’ve seen the Gift Card spammers using lately is to use links hosted by URL Shortening websites to redirect through the shortener link to the website that will try to collect the users personal information and  sign them up for the various offers in the hopes of gaining the elusive gift card.

However, targeting mobile consumers is much more intrusive and has additional costs when compared to email spam, because people carry their mobile phones with them throughout the day and many people still have to pay a per message cost for every SMS they receive.  Therefore it’s gratifying to see the FTC going after these spammers.

Fighting spam is a collective effort.  The more ways that the cost of sending the spam can be increased, the less likely the spammer is to send that type of spam.  When the URL Shortening websites take action to make it harder for spammers to use their services this also helps decrease the spam.  And when legal action is taken against a spammer, it can often deter both that spammer and the other spammers who see the legal action being taken as they take the cost of the legal action into account.

It’s great to see Twitter taking the lead on the URL shortener security. Twitter acquired Dasient earlier in the year and it’s refreshing to see them being put into action securing the t.co linkage and what’s more t.co is now going to front more and more links seen in the service.

Further reading:
http://www.telegraph.co.uk/technology/twitter/9883076/Twitter-shortens-tweets-by-two-characters.html

Since miscreants often “wash” malicious links through URL shortening services, it’s going to interesting to see how this situation swings as my usual stance on shorteners shortening shorteners is simple DON’T!

I had the pleasure of meeting Neil Daswani yesterday and got a real sense that they’ve got the right guy for the job.

By breaking the norms of shortening and taking their duty of care much more seriously Twitter are really raising the bar for the other URL shorteners.

Yesterday, a news article on my local public radio station caught my attention.  On Wednesday, the Institute of Medicine (IOM) put out the report: “Countering the Problem of Falsified and Substandard Drugs”.  The report was created at the request of the US Food and Drug Administration (FDA).

Lawerence Gostin, the Georgetown University law professor and World Health Organization adviser who led the study, was quoted in the NPR news article: 

“It’s actually more profitable to supply illegitimate drugs than cocaine or heroin,” Gostin says. “And so you’re seeing more and more sophisticated drug suppliers.”

Gostin repeated a similar quote to the Wall Street Journal.

As we analyze spam and other malicious messages at Cloudmark, we regularly see evidence of the suppliers of illegitimate pharmaceutical hard at work.  Generally the spammers are trying to convince people to visit a website that purports to be selling Canadian pharmaceuticals.  Some of yesterday’s web pages even had a cheerful “Happy Valentine’s Day” banner which today has been switched out with a “Happy President’s Day” banner.

Online Pharmacy Selling Illegitimate Pharmaceuticals

The email spam messages often don’t contain a URL that links directly to the pharmaceutical website, instead they may contain a link to a legitimate website which has been hacked, most likely because the legitimate site is running an older version of WordPress or Joomla with known vulnerabilities but the website owner has yet to upgrade.

The spammer, or someone paid by the spammer, has hacked the legitimate website and placed a page on it that will re-direct a browser to the fake pharmaceuticals website.  Alternatively, the spammer may use a URL shortening site to redirect through to the pharmacy website.  However, the hacked websites is the current favorite technique that we’ve seen used the most in the last few months.

In 2012 Cloudmark saw the percentage of email spam that Cloudmark was filtering which contained hacked websites jump dramatically in the second half of the year.  In June 2012 hacked domains accounted for about 5% of the email spam, but rose in September and October to around 10%, with spikes as high as 30%.  Then in late December we saw a spike to almost 50%.  During January 2013 we saw another spike in the first week of the year and it then returned to around the 5% level for the last half of the month.

The Institute of Medicine report reminds people that “Falsified and substandard medicines provide little protection from disease and, worse, can expose consumers to major harm.”   The report is aimed at starting a productive international discussion about how to address the problem of falsified and fake medicines.

IOM report: Administration estimated that the September 2012 raid shuttered more than 4,100 illegal online drug sellers.  (Interpol): © Carabinieri NAS (Italia)

Last September, the FDA also launched a a national campaign to alert US consumers to the possible dangers of buying pharmaceuticals online.  They recommend that consumers beware of online pharmacies that allow people to buy drugs without a prescription, or that offer deep discounts or cheap prices that seem to good to be true.  They recommend to US consumers not to buy from pharmacies that are located outside of the United States or which are not licensed in the United States.  They note that a legitimate US pharmacy will always require a doctor’s prescription, and will provide a physical address and telephone number in the US.

They also provide a link for US consumers to look up which pharmacies are licensed in their state.

The FDA website also recommends that people do not buy from online pharmacies who “Send spam or unsolicited email offering cheap drugs”.  In general Cloudmark recommends against a person buying anything from anyone who sends spam.  At worst the person is at risk of being duped into buying a fake, non-existent or dangerous product.  At best, they’re encouraging the spammer to send more spam.

Usually the pharmacy spammers are making money from an affiliate network where the spammer is paid by the owner of the pharmacy site, either per click that gets sent to the pharmacy site, or for each person who buys something from the site.

Unfortunately, the spammers send the spam because some people, even a very small number of people, are falling for the offer and buying the product.  And as Lawerence Gostin pointed out, it can be “more profitable to supply illegitimate drugs than cocaine or heroin”.

At first glance it might seem that the decision if an email is spam or not is a black and white one – either it’s spam or it isn’t. However, the closer you get to the problem, the more complex it becomes, and many shades of grey start to appear.

For example, last Thanksgiving I was keeping an eye on email related to Black Friday and Cyber Monday, to see how those were being exploited by spammers. The results were interesting. The real spam was caught by our automated filters as always. However, we received a lot of feedback where a recipient had taken a legitimate marketing mail from, say, amazon.com, Petsmart, or Home Depot and manually flagged it as spam. These are legitimate companies who are sending mail that a lot of people want to see, so they are not likely to end up in any spam filters. If you are receiving legitimate marketing emails that you no longer want to receive, click on the Unsubscribe link and not the Report As Spam button.

More troubling than that was the case of a legitimate bulk email company that provides marketing services for a number of national brands. We noticed that they are forging the headers on their emails to make it appear as if they are coming from a single user email client rather than a bulk mailing service. This is a technique used by spammers to try to improve deliverability. However, for a legitimate business it will probably have the opposite effect. Spammers do not forge headers to get more emails delivered than legitimate bulk mailers. Spammers forge headers to try to get as many emails as they can through our filters. That’s never very many. The more a legitimate email source tries to use the spammer’s toolkit, the more likely their emails are to get classified as spam and consigned to the bit bucket.

The road to the Dark Side is insidious. It starts with an opt out check box hidden in the fine print and a six step unsubscribe process. Next a forged header line or two, and then adding a little word salad so every email is slightly different. Before you know it you are renting botnets or buying webmail accounts by the thousand and every step down into the pit you will convince yourself that there are legitimate business reasons.

There is a better road though. If your marketing emails are causing mass unsubscribes or getting flagged as spam, the first thing to do is not to tweak the headers, but to take a long, hard look at the content. If you are sending people information they want to receive in a way that is engaging, then your marketing campaign will work much better than one that goes to five times as many people who have no interest in seeing it. Know your audience, and tailor your message. Before sending out a mass mailing, test five or ten different versions on smaller groups and see what gets the best ROI and the fewest unsubscribes.

Most large mailbox providers will provide feedback loops to large mailers, which will notify them which recipients are marking their messages as spam. Not only does this provide vital statistical feedback, but that feedback can also be treated as unsubscribe requests by the mailer. It’s pretty obvious from our reports which mailers are not taking advantage of this service – and that adds another shade of grey.

Take the path of science and math, and measure response to emails. Give people who do not wish to receive your emails an easy way out – they’re not likely to buy from you anyway. Do not be seduced by the dark side of spam, or one day you may find yourself with vanishing response rates and a negative ROI, ranting about those filthy Nigerian scam artists who are giving bulk emailing a bad name.