Best Practices, Delivery Essentials

Fact or Fiction: Can you REALLY clean spam traps from your email list?

320px-busted_in_rustEarlier this month I spent a week in sunny Toronto for the Fall M³AAWG meeting, featuring a variety of sessions and conversations around all things anti-abuse. At any industry event like this, spam traps are usually a popular topic of discussion (check out this post for a primer on spam traps and why they matter). Senders want to know how to avoid or get rid of them, while many blacklist operators consider them a necessary evil to help identify poor sending practices. One of the most hotly-debated questions regarding spam traps surrounds how to remove them from your list. Many senders and solution vendors claim to be able to identify and remove spam traps, while trap operators go to great lengths to keep their traps anonymous. Let’s look at a couple of the most commonly-cited ways of identifying spam traps and how effective they really are.

List Validation & Hygiene Vendors

As mailbox providers have made it harder to reach the inbox, list hygiene services have become a booming segment of the industry. While some employ dubious methods, even prompting a warning from Spamhaus, there are a number of services that are considered reputable and are commonly used by legitimate marketers and even ESPs. For our discussion, let’s focus on these more reputable vendors.

As a basic rule, list validation services will take your file of contacts and provide a grade or score for each record. The data will indicate whether the email address is confirmed valid, confirmed invalid, or somewhere in between. Most of these vendors claim (some more prominently than others) to be able to identify spam trap addresses. Therefore, if you believe or know you have traps in your list, you should be able to purchase these services and solve your problem, right?

Not so fast, hot shot. Spam traps are secret by nature – if you know an address is a spam trap, then it has lost its effectiveness. As a result, trap operators make efforts to ensure traps are not identified by any outside party, including validation services. The traps identified by these services may have been actively used in the past, but at this point have likely been abandoned by their operator. Even those traps that are still in use would represent only a fraction of the spam traps that exist in the wild. So you may clean a few traps off your list, but you’re not going to solve any major spam trap issues using one of these services.

Effectiveness grade: F

Segmentation and isolation

Over the years I’ve run across many senders (and even some vendors) who believe that identifying spam traps in your list is as simple as pinpointing the time of the trap hits and/or the affected message(s) and/or the group that contains the traps. These senders will often slice up affected lists, sending to smaller and smaller segments of contacts until they have isolated a very small number of records that are, or may be, traps. They can then remove these bad apples from the list and go on sending willy-nilly to the rest of the recipients.

In reality, there are a couple of problems with this approach. First, most trap operators or blacklist admins aren’t going to provide you with the type of data that is required for this process. If you are considered a relatively trustworthy sender, you might get very limited data about trap hits – a date or a subject line, perhaps – but this is almost always just a sample of the full data set. If you get details on a single trap hit, there are likely 10 or 20 or 100 more hits that you can’t see. Trying to narrow down your list based on incomplete data is not likely to generate accurate results.

Effectiveness grade: D

Nullification

Similar to the previous method, this process involves using data provided by the trap operator to isolate and remove affected recipients. This is most often implemented by senders who use highly targeted segments and who may be sending to only a few dozen or hundred recipients at a time. Because of the small segment size, the sender often finds it more appealing to simply remove the entire list that was targeted on the specific day or with the specific message identified as hitting traps.

While removing the entire recipient list could be a slightly more effective solution, this method suffers from the same deficiency as the last: lack of data. This method is only effective if the trap operator provides the full list of trap hits with timestamps – which is extremely unlikely. So even if you suppress the list of recipients called out for one hit, you are likely to be missing the lists that contain additional traps. .

Effectiveness grade: C-

As you can see, none of these methods are especially effective at resolving spam trap issues, and it’s for a simple reason: they address the symptoms (spam traps) instead of the underlying problem (poor list acquisition or hygiene practices). Many trap operators will recommend reconfirming your contact database, the only truly effective method to remove spam traps from your database. However, you’re likely to lose some valid recipients in the process so most senders will only do this as a last resort. We’ve found that a better solution is a hybrid approach that includes both engagement and confirmation elements.

Engagement-based list cleanup

One fact we know about spam traps is that they don’t open email (with very few exceptions). As such, excluding recent openers and clickers from your confirmation efforts will help minimize potential losses to your list. Once you’ve identified those recipients who haven’t engaged in the past 6-12 months, you can temporarily suppress them from further mailings, then send them a confirmation request. Those who engage with the confirmation request can be returned to your active mailing list, and the rest should remain suppressed.

Effectiveness grade: A

It’s nearly impossible to isolate and remove spam traps from your database, so it’s best to stop them from getting there in the first place. Getting clear permission for all new recipients and using an engagement-based list hygiene process can all but eliminate the risk of spam traps in your list and make sure you never need to put these methods to the test.

– BG

 

Industry Updates, Laws and Regulations

CRTC releases full decision on CompuFinder CASL appeal

canada-649858_1280

Yesterday, the Canadian Radio-television and Telecommunications Commission (CRTC) published their official decision on CompuFinder’s appeal of CASL penalties levied against them. You may recall CompuFinder was subject to the first CASL enforcement action in March 2015 and hit with a hefty $1.1 million fine for their violations. In the appeal, CompuFinder argued that the emails in question were not in violation of CASL in addition to challenging the constitutionality of the law.

In the original notice of violation, the CRTC presented CompuFinder with 3 specific email campaigns that were deemed to be sent without the recipients’ consent, and in at least one instance the message did not contain a working unsubscribe link. CompuFinder argued unsuccessfully that because someone at the receiving domain had purchased a training or resource from them in the past, they had established a business relationship with any recipient at the same organizational domain. Not surprisingly, the CRTC shot down this argument, lending credibility to the assertion that consent follows the individual and not the organization. However, while CompuFinder’s violations were deemed valid, the penalties for those violations was lowered from $1.1 million to $200,000.

In a separate document, the CRTC also rebutted CompuFinder’s constitutionality challenges, finding the Commission does hold jurisdiction to enforce these regulations and that the regulations themselves were within the authority of the Canadian Parliament to enact.

Like CompuFinder, many senders are hanging a lot of their CASL compliance efforts (or lack thereof) on the “existing relationship” clause of the law. As evidenced in this case, there is a very high standard of proof for that relationship and the scope is narrow. CompuFinder produced many invoices for purchases and historical records of their email campaigns to these recipients, but they weren’t able to provide what CASL requires – proof of consent. And while the fine was ultimately lowered, this decision should provide you with at least 200,000 reasons to make sure your consent and documentation are in order.

– BG

Industry Updates

Roadrunner FBLs shut down

320px-1968_road_runner_emblem_vaThanks to Laura at Word to the Wise for the official heads up that the Roadrunner (Time Warner Cable) FBL has been turned off as of today, meaning no more spam complaint data will be sent from Roadrunner’s servers to mail senders.

Personally, I would consider this a good opportunity to check your list for rr.com addresses to gauge potential impact, as well as making sure your unsubscribe link is prominent and functioning properly. Since Roadrunner users who lodge spam complaints will now remain on your list, you want to be sure you make it as easy as possible for them to unsubscribe and avoid that Spam button.

It’s not uncommon to still have a number of Roadrunner addresses throughout your list, particularly if you’ve been collecting email addresses for a few years. If so, it could also be a good indicator that it’s time to run some engagement metrics or a campaign to encourage recipients to update their information.

– BG

Best Practices, Delivery Essentials

Zombies are everywhere…including your member database

WARNING: PLEASE DO NOT FEED THE ZOMBIESYesterday morning I received a bit of a surprise in the form of an email from Tumblr congratulating me on the 9th “birthday” of my blog. I checked and it seems I last posted on Tumblr just over 3 years ago…and only three times ever. In March 2013, I posted a photo from a photo sharing app called Streamzoo – an Instagram alternative that, apparently, wasn’t a good enough alternative and shuttered in 2014. In 2012 I posted a photo from Instagram, but from an account that no longer exists (it was deleted among the wave of privacy concerns about Instagram around that time.)

The fact that I got this notification is a good thing, as it means I’m still using the email address I used to create the Tumblr account – but what about all those accounts I created with previous addresses?

As I dug through websites I hadn’t thought of in years – MySpace, LiveJournal, even Angelfire! – it brought to mind a common issue for the association groups I work with: zombie members. While the use of zombie imagery in reference to old email addresses and web accounts isn’t new, paying attention to those undead records is more relevant than ever for organizations whose email program relies heavily on membership rolls.

Too often when troubleshooting delivery issues, membership organizations completely exclude their active member list from any sort of list hygiene initiatives. The reasoning makes sense on the surface: if someone is an active (often paying!) member of your organization, clearly they want your emails, right? Unfortunately, that often doesn’t take into account some of your most loyal members.

It’s an oft-quoted statistic that 20-30% of email account owners change their email address each year, often due to a change in internet provider or employer. Over the course of 5 years, that equates to a greater than 1 in 3 chance a recipient has changed their email address – but did they tell you? How would you know?

Let’s talk through some of the most common assumptions used to justify why an email address shouldn’t be subject to list hygiene practices and how they can lead to trouble.

1. “They logged into our website.”

This seems like a slam dunk: your website uses email address as username, and the member had to log into their account to renew (or you can see a record of their login.) That definitely means the address is good, right? Nope. Every web browser since Netscape Navigator (and probably before) has been able to save login information so you don’t have to remember those pesky passwords. If members aren’t required to confirm their email address regularly, they have little incentive to change their username (assuming they even realize they’re using the old address).

2. “They attended a conference.”

Like logging into your site, this is a great sign they’re engaged with your organizationbut not necessarily with your emails. If the registration for the event took place on your org’s website (that same one with the saved password, above), attendees may be using the same saved information to register. It may seem unlikely, but I’ve worked with many orgs who were unpleasantly surprised by the number of recent event registrants whose information was out of date.

3. “CAN-SPAM says we can send to members no matter what.”

It is true that CAN-SPAM has an exemption for messages deemed to be pertaining to a transaction or ongoing relationship. The FTC has issued some guidelines around this, but there’s still quite a bit of grey area. Sending a message announcing conference registration to your members? Maybe a promotion for a Continuing Ed course for industry professionals? Most experts would tell you these aren’t exempted messages.

Truth be told, whether they are or aren’t exempt is irrelevant to the discussion. CAN-SPAM allows you to send almost any sort of unsolicited email as long as you provide contact info and an unsubscribe method. This is the bare minimum required to comply with the law (and any reputable ESP will require permission.) However, every major email provider has implemented complex spam filtering systems designed to block or reject mail their recipients don’t want.  If their recipients don’t open your emails, or they mark them as spam or unwanted, your mail won’t get delivered. So yes, you may have legal permission to send them email, but that means absolutely zero when it comes to whether your message reaches the inbox.

How can you be sure your members’ information is valid?

While none of the above methods should be considered a reason to keep an email address in your list, there are a few options for confirming addresses that are a bit more reliable.

Send a reconfirmation email

The gold standard of email verification is the confirmation email. Once per year (often at the time of renewal), send an email to the address on file that requires a click on a confirmation link to stay on your list. If someone clicks, you know you’ve got the right person and the right address. If they open but don’t click? That’s a bit more of a grey area. Depending on the language in your email, you may want to keep them around but limit the emails they receive. Non-openers should be suppressed from your email campaigns going forward.

Look for recent opens or clicks

Most orgs are hesitant to require annual confirmation, which is understandable. It’s likely to shrink the size of the email database, a prospect that rarely elicits a thumbs-up from the executive team. In those cases, you can still look for recent activity from the recipient in the form of opens, clicks, and replies. If you have records indicating a recipient opened, clicked on, or replied to an email in the past 12 months, it’s generally a safe bet to keep them around. You may even want to use this in conjunction with the annual confirmation – only those records with no activity have to reconfirm. That will require a bit of additional work, but could pay off in spades if you avoid the loss of legitimate member email addresses.

Conduct an outreach campaign

If a member has no recorded interactions with an email, they’re not dead to you just yet. Many orgs conduct targeted outreach via phone, postcard, or even in-person meetings to get updated information from members. We’ve seen a number of associations have success driving traffic to their online information forms through these offline methods.

Once you’ve gone through these steps, you’ll likely have to decide to suppress some email addresses from your member list to maintain good deliverability. When this happens, remember that removing a member from your email list doesn’t negate their membership – they may still attend events, participate in forums, and engage with your organization. And each of those interactions is another opportunity for you to get updated information from them and bring them back into the email fold.

– BG

Industry Updates

Google Postmaster Tools Reputation data issues (UPDATE: Appears Resolved)

IP_Reputation_-_Postmaster_ToolsUPDATE: As of this morning (9/12) IP reputation data appears to be displaying correctly and domain reputation data is being provided.

If you’ve checked Google Postmaster Tools lately, don’t freak out just yet about your IP reputation. As first reported by Word to the Wise,  the IP reputation metrics appear to be broken at the moment, displaying a “Bad” reputation for all IP addresses since 9/9. I’ve seen this in my own Postmaster Tools account, along with a lack of data for domain reputation since 9/8. Authentication and Encryption metrics appear to be working correctly for me, but I can’t say for sure whether the Spam Rate, Feedback Loop, or Delivery Errors charts are correct – they all show zero since 9/8, but that’s not uncommon in my experience.

Like Laura, I’ve not seen any delivery problems associated with the change in metrics, with bounce and open rates at Gmail pretty consistent based on a few spot checks.

As of yet there doesn’t appear to be an official confirmation from Gmail, but clearly something is hosed with their data. Is it possible this is tied to the Postmaster Tools updates that were promised a few months back? I’d say it’s unlikely…but a guy can hope, right?

– BG

Best Practices, Industry Updates

Microsoft rejecting your mail? You may be suspected of email harvesting

www.volganet.ru [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0) or GFDL 1.3 (www.gnu.org/licenses/fdl-1.3.html)], via Wikimedia Commons
via Wikimedia Commons
If you’ve been noticing your mail is rejected by Microsoft lately, it’s a good idea to take a look at the Smart Network Data Solutions (SNDS) dashboard. If you’re not aware, SNDS is Microsoft’s tool to show senders how their mail performs to recipients at MS domains. You can sign up for free (assuming you own your IP addresses); if you use an ESP, they’ll have SNDS set up for your sending IP and generally monitor it regularly.

If you do have SNDS access, you can check the IP Status heading to see any blocks that are currently in place for the IPs you own. Over the past few weeks I’ve been seeing a lot of IP addresses listed there due to “E-mail address harvesting.” After working with the Postmaster team, it seems the issue occurs when too many RCPT commands are sent without valid recipients. In other words, the sending server attempted to validate the existence of a lot more email addresses than they actually sent mail to. These blocks are most commonly associated with dictionary attacks, or sending to many usernames at the same domain (aaa@domain.com, aab@domain.com, aac@domain.com) with the purpose of finding good addresses. This tactic is often used by spammers who are – you guessed it – harvesting email addresses for their mailing list.

However, the instances I’ve seen have all been legitimate senders, sending mail to people who have signed up to receive it. In one case, a human error led to sending mail to a list of unsubscribed addresses, but the rest appear to simply be senders whose list hygiene needs improvement. In addition to dictionary attacks, these blocks seem to be triggered by high rates of invalid recipients. These recipients are counted in the number of RCPT commands but not in the total delivered. In one case, the difference between the two was only around 10% – certainly not ideal, but also not indicative of a spammer harvesting addresses.

When working with the Postmaster team, they’ve been very helpful in getting the blocks resolved once we explain the circumstances around the sends and how we’ve taken steps to prevent a recurrence, but these blocks have stopped all mail to Outlook.com users for days in some cases before they are removed. For a sender, this could mean a substantial loss of revenue while the block is in place…so what can you do?

Now more than ever, list hygiene is paramount. Be sure you aren’t sending to old or stale contact lists and target recipients with recent open or purchase activity. Keeping your bounce rates as low as possible will minimize the chances you run into one of these MS blocks.

Been flagged as a harvester yourself? Just having trouble getting delivered to Outlook? Let me know in the comments or via email!

– BG

Best Practices

Don’t give a damn ’bout my reputation

Chances are, you’re reading this on the internet right now. And if so, you’ve probably heard the word “reputation” thrown around a lot this week thanks to Taylor Swift and her new album announcement (I prefer Joan Jett, thanks). While reputation may be seeing a moment in the pop culture space, its place in email has been long established. A good sender reputation is paramount for a successful email program, and a bad reputation can lose you thousands in revenue on a single campaign. So why, then, do so many organizations treat it so carelessly?

Taylor Swift's Reputation album cover
Mert & Marcus

Case in point: I’ve worked with marketers who have partnerships with other organizations in which they cross-promote each other’s products. A common arrangement, no doubt, and in most cases mutually beneficial. Often one party reaches out to me or another consultant asking how they can protect their domain reputation from any damage caused by the cross-promotion.

When I get this question, I typically first ask if they believe there is a legitimate risk of damage to their sender reputation. If so, why? Are they partnering with an organization with poor email practices? And if they are that concerned about the reputation of this partner “bleeding over” into their own domain, why do they continue to do business with them?

Many senders seem to feel they can overcome these risks with some technical sleight-of-hand: using a different IP address or domain, redirecting links through different servers, etc. While these tricks may work temporarily, mailbox providers have become extremely advanced in their filtering. These practices are often associated with spammers and malicious senders, so using them can cause even more damage to your reputation when the providers start to associate them with your brand.

In email, just as in life, the parties with whom you associate can tarnish your good name. Doing business with disreputable email senders will start to impact your deliverability and brand reputation. In fact, Google even uses factors like web and search reputation as part of their mail filtering algorithms. Technology has led to the increasing intersection of our public and private lives – we’ve all heard the stories of folks who got fired after an inflammatory social media post was discovered. In the same way, every aspect of your brand’s digital presence is connected and has the potential to impact your email program.

If you have a high level of concern that your actions or partnerships will cause damage to your sender reputation, you’re probably right. Instead of looking for ways around it and causing more damage, explore ways you can generate additional traffic and revenue without the additional risk. Vet your partners carefully – make sure their practices don’t sink the hard work you’ve put in to establish your own good reputation.

– BG