Subscribe to RSS News Feed
About Spamhaus  |  Press Office  |  FAQs   
Problems seen in transactional messages

2013-03-05 22:32:40 GMT, by Denny Watson
Recent News Articles

Second arrest in response to DDoS attack on Spamhaus

New IPv6 CIDR searching tools released: grepcidrs

Changes in Spamhaus DBL DNSBL return codes

Summer Break arrives early for Malware & Botnet Gang

Spamhaus launches CERT Insight Portal

The Spamhaus Policy Block List now covers One Billion IP addresses

Resilans Incident Report

ICANN SSAC on DDoS, DNS and BCP 38


Older News Articles:
Spamhaus News INDEX

Some months ago a number of bloggers wrote about The Spamhaus Project's "new" spamtraps. Some asserted that we were suddenly targeting transactional messages. Others noticed the timing of new SBLs based on those "new" traps and one concluded that we had decided to publish our advisories during the Christmas season, the time of year that retail companies see the bulk of sales and that would therefore most affect marketers. Links to a few of these blogs are provided below:

In addition to other sources of data, The Spamhaus Project uses all sorts of spamtraps; we haven't suddenly started using typo domains (domains a few characters different than a popular domain) as a data source. We have been doing this for well over a decade. Change is a constant at Spamhaus as elsewhere and some things did change around December of 2012. These included greater cross-referencing amongst our various spamtraps, closer communication amongst their maintainers, and greater machine analysis of spam headers.

Being leaders in the anti-spam community, we are often asked for our opinion and guidance in building and operating anti-spam systems. We have often stated that, when operating spamtrap farms, care should be given to identification of transactional messages, and they should be handled differently than other email sent to spamtraps. We do not list IP addresses because of one-off transactional emails sent to a few spamtraps. If the email stream is persistent over time, especially high volume, and drifts outside the relationship of individual transactions, we will start to find these messages a problem. An example of this is when the transactional email stream to the spamtrap also contains marketing messages.

The Spamhaus Project publishes advisories for its users. We attempt to list spam sources when spam is being emitted or, in some cases, even before it has started. As such, we do not wait for specific times of the year to publish our advisories. We publish as we become aware of the problem, and only for as long as we see the problem still exists.

Before we look into some case studies, there is an important point to note: not all Spamhaus Project spamtrap systems accept all email. (It is a common misconception that they do.) Some reject a percentage of the messages sent to them. Some reject mail from specific sources. Some even reject all email whatsoever. The behavior of any spamtrap can also change over time. This is important because in the examples that we will be presenting all messages were rejected. Had the senders been paying attention to their error logs, as all bulk emailers should, they would presumably not have continued to send email to obviously closed/dead email addresses.

Case Study 1.

A transactional message (in this case a receipt) was sent to an email address that had never requested it. That message bounced, but that didn't prevent the company's marketing department from pushing advertisements to that email address. They stopped sending to the email address eventually, but nine months later they moved to another ESP and attempted to re-engage the email address.

Please note: this email address had rejected every message sent to it over the course of the year. It never "opened" an email. It never "clicked" a link. Even if the marketing department had not been given access to the mail logs or told which email addresses were bouncing, if they had simply paid attention to the engagement statistics for this email, they would have known that nobody was reading it.

2011/08/19     Your eReceipt from {deleted} Outlet
2011/08/22     Welcome! Enjoy 15% off at {deleted} Outlet!
2011/08/28     Your gift inside!
2011/09/02     Only 1 more weekend. Your gift inside!
2011/09/05     Ohh baby! It's a sale!
2011/09/09     This Weekend: 50% Off Women's Styles
2011/09/22     SAVE BIG! $14.99 and under sale!
2012/06/27     Your gift inside!
2012/07/03     Did you get your coupon yet?
2012/07/11     SALE: $9.99 tanks and tees!
2012/07/20     $14.99 logo hoodies + save 70%!

We view the message sent on 2011/08/19 as a transactional message, most likely entered at a point of sale. We view the message sent on 2011/08/22 as an opt-out message from the marketing department, since no permission had ever been given to send marketing email messages to that email address. To repeat ourselves, every one of these messages was rejected. It is the view of the Spamhaus Project that email addresses used for transactional mail should not be used for marketing email without permission.

Case Study 2.

Sometimes an email address is acquired at a point of sale and saved into a database for future marketing. Transactional messages, when saved into a database to be reused, should have some sort of confirmation process to ensure that new messages are in fact going to the proper person.

2012/02/07 Your eReceipt from {Brand-A} Richmond
2012/02/07 Your eReceipt from {Brand-A} Richmond
2012/03/08 Your eReceipt from {Brand-B} Pinole
2012/04/22 Your eReceipt from {Brand-B} Pinole
2012/04/22 Your eReceipt from {Brand-B} Pinole
2012/04/28 Your eReceipt from {Brand-A} Richmond
2012/04/28 Your eReceipt from {Brand-A} Richmond
2012/04/28 Your eReceipt from {Brand-A} Richmond
2012/05/09 Your eReceipt from {Brand-A} Richmond
2012/05/09 Your {Brand-A} Order Confirmation
2012/05/09 Your eReceipt from {Brand-A} Richmond
2012/05/09 Your eReceipt from {Brand-A} Richmond
2012/05/09 Your eReceipt from {Brand-A} Richmond
2012/05/09 Your eReceipt from {Brand-A} Richmond
2012/05/09 Your eReceipt from {Brand-A} Richmond
2012/05/09 Your {Brand-A}.com Order Has Shipped
2012/05/09 Your {Brand-A}.com Order Has Shipped
2012/05/10 Your eReceipt from {Brand-A} Richmond
2012/05/10 Your eReceipt from {Brand-A} Richmond
2012/05/10 Your eReceipt from {Brand-A} Richmond
2012/05/10 Your eReceipt from {Brand-A} Richmond
2012/05/11 Your {Brand-A} order has been delivered
2012/05/11 Your eReceipt from {Brand-A} Richmond
2012/05/11 Your eReceipt from {Brand-B} Pinole
2012/05/11 Your eReceipt from {Brand-B} Pinole
2012/05/13 Shop again at {Brand-A} and get $10 off
2012/05/15 Your eReceipt from {Brand-A} Richmond
2012/05/16 You deserve the best: Here are your top ten deals!
2012/06/28 Your eReceipt from {Brand-B} Pinole
2012/07/06 Your eReceipt from {Brand-B} Pinole
2012/07/18 It's been a while since we've seen you online - check out new offers just for you!
2012/07/23 Your eReceipt from {Brand-A} Richmond
2012/07/23 Your eReceipt from {Brand-A} Richmond
2012/07/26 Your eReceipt from {Brand-B} Pinole
2012/07/27 Your eReceipt from {Brand-A} Richmond
2012/08/18 Your eReceipt from {Brand-A} Richmond
2012/08/22 Your eReceipt from {Brand-A} Richmond
2012/08/25 Your eReceipt from {Brand-B} Pinole
2012/08/25 Your eReceipt from {Brand-B} Pinole
2013/01/28 Take a Peek: A $10 in Points coupon + bonus offer awaits inside

As with the previous case study, all of these messages were rejected during the SMTP conversation. Had the sender been processing rejections ("bounces"), the sender would have known that their email was not being delivered. Email to this email address should have stopped after AT MOST three rejections.

In addition to being sent to an email address that had rejected all previous email, the message sent on 2013/01/28 had a completely different sender envelope address than the previous messages. For example, assume that the receipts were sent from receipt@brand-a, but the new email was sent from rewards@superduperrewardsclub. Even if the new email had been sent to an actual customer email address instead of a spamtrap, unless the customer did considerable research, the customer would not realize that they were being contacted by "Brand A", which also owned "Brand C". The email would look like spam from a company that they'd probably never heard of or done business with.

Case Study 3.

Sending transactional messages doesn't mean that you can forget about list hygiene. In this example, a domain expired in early to mid-2010, was re-registered by Spamhaus, and was placed in timeout for more than two years. (Most new spamtrap domains are placed in timeout for at least six months, and many for year or more, before being put into production as a spamtrap. While email is properly rejected during that aging process, data can still be collected before the SMTP rejection, hence the Subject history during that period.) This spamtrap was configured to reject all email from this particular source, but the sender after two years still hasn't realized that the original recipient is not receiving their messages.

2011/01/15 Your receipt #{deleted}
2011/01/15 Your receipt #{deleted}
2011/01/17 Your receipt #{deleted}
2011/02/11 Your receipt #{deleted}
2011/02/15 Your receipt #{deleted}
2011/02/26 Your receipt #{deleted}
2011/03/10 Your receipt #{deleted}
2011/03/28 Your receipt #{deleted}
2011/03/28 Your receipt #{deleted}
2011/03/30 Your receipt #{deleted}
2011/04/01 Your receipt #{deleted}
2011/04/03 Your receipt #{deleted}
2011/04/11 Your receipt #{deleted}
2011/04/18 Your receipt #{deleted}
2011/04/24 Your receipt #{deleted}
2011/04/25 Your receipt #{deleted}
2011/04/28 Your receipt #{deleted}
2011/05/07 Your receipt #{deleted}
2011/05/12 Your receipt #{deleted}
2011/05/17 Your receipt #{deleted}
2011/05/20 Your receipt #{deleted}
2011/05/24 Your receipt #{deleted}
2011/05/27 Your receipt #{deleted}
2011/05/27 Your receipt #{deleted}
2011/06/08 Your receipt #{deleted}
2011/06/11 Your receipt #{deleted}
2011/06/24 Your receipt #{deleted}
2011/06/28 Your receipt #{deleted}
2011/06/28 Your receipt #{deleted}
2011/07/02 Your receipt #{deleted}
2011/07/02 Your receipt #{deleted}
2011/07/02 Your receipt #{deleted}
2011/07/04 Your receipt #{deleted}
2011/07/12 Your receipt No.{deleted}
2011/07/20 Your receipt No.{deleted}
2011/07/20 Your receipt No.{deleted}
2011/07/23 Your receipt No.{deleted}
2011/07/23 Your receipt No.{deleted}
2011/07/23 Your receipt No.{deleted}
2011/07/23 Your receipt No.{deleted}
2011/07/24 Your receipt No.{deleted}
2011/07/25 Your receipt No.{deleted}
2011/07/26 Your receipt No.{deleted}
2011/07/27 Your receipt No.{deleted}
2011/07/30 Your receipt No.{deleted}
2011/08/01 Your receipt No.{deleted}
2011/08/03 Your receipt No.{deleted}
2011/08/05 Your receipt No.{deleted}
2011/08/08 Your receipt No.{deleted}
2011/08/14 Your receipt No.{deleted}
2011/08/18 Your receipt No.{deleted}
2011/08/18 Your receipt No.{deleted}
2011/08/20 Your receipt No.{deleted}
2011/08/27 Your receipt No.{deleted}
2011/08/30 Your receipt No.{deleted}
2011/09/03 Your receipt No.{deleted}
2011/09/11 Your receipt No.{deleted}
2011/09/16 Your receipt No.{deleted}
2011/09/28 Your receipt No.{deleted}
2011/10/26 Your receipt No.{deleted}
2011/10/28 Your receipt No.{deleted}
2011/11/03 Your receipt No.{deleted}
2011/11/05 Your receipt No.{deleted}
2011/11/12 Your receipt No.{deleted}
2011/11/14 Your receipt No.{deleted}
2011/11/14 Your receipt No.{deleted}
2011/11/21 Your receipt No.{deleted}
2011/11/26 Your receipt No.{deleted}
2011/12/03 Your receipt No.{deleted}
2011/12/05 Your receipt No.{deleted}
2011/12/10 Your receipt No.{deleted}
2011/12/21 Your receipt No.{deleted}
2011/12/27 Your receipt No.{deleted}
2012/01/02 Your receipt No.{deleted}
2012/01/06 Your receipt No.{deleted}
2012/01/14 Your receipt No.{deleted}
2012/01/14 Your receipt No.{deleted}
2012/01/17 Your receipt No.{deleted}
2012/01/22 Your receipt No.{deleted}
2012/01/24 Your receipt No.{deleted}
2012/02/24 Your receipt No.{deleted}
2012/02/28 Your receipt No.{deleted}
2012/03/09 Your receipt No.{deleted}
2012/03/22 Your receipt No.{deleted}
2012/03/28 Your receipt No.{deleted}
2012/03/30 Your receipt No.{deleted}
2012/04/12 Your receipt No.{deleted}
2012/04/18 Your receipt No.{deleted}
2012/04/24 Your receipt No.{deleted}
2012/07/30 Your receipt No.{deleted}
2012/07/30 Your receipt No.{deleted}
2012/08/01 Your receipt No.{deleted}
2012/08/08 Your receipt No.{deleted}
2012/08/12 Your receipt No.{deleted}
2012/08/13 Your receipt No.{deleted}
2012/08/18 Your receipt No.{deleted}
2012/08/23 Your receipt No.{deleted}
2012/08/23 Your receipt No.{deleted}
2012/09/08 Your receipt No.{deleted}
2012/10/12 Your receipt No.{deleted}
2012/10/30 Your receipt No.{deleted}
2012/11/07 Your receipt No.{deleted}
2012/11/14 Your receipt No.{deleted}
2012/12/14 Your receipt No.{deleted}
2012/12/16 Your receipt No.{deleted}
2012/12/24 Your receipt No.{deleted}
2013/01/11 Your receipt No.{deleted}
2013/01/14 Your receipt No.{deleted}
2013/01/18 Your receipt No.{deleted}

In the example above it is painfully obvious that this sender isn't even looking at their rejection logs. They are also not performing any sort of hygiene on the email addresses that they are sending to, as each of those messages were rejected in the SMTP conversation.

We hope that these case studies help to illustrate the problems caused when senders of transactional and bulk email ignore SMTP rejections. The ongoing flow of presumably-unintended bulk email from unattended mail systems operated by well-intentioned but careless senders is unsolicited bulk email (spam). It wastes recipient mailserver resources and annoys innocent third party recipients who did not ask for that email.

Spamhaus' mission is to keep unsolicited bulk email out of our users' mailboxes. We do make adjustments in the data available for SBL listings and in how we handle that data. Sometimes, as was the case in December, those adjustments bring to light ongoing spam problems, but they do not create those spam problems.



Spamhaus Information

Press Office
Spamhaus News Index
Spamhaus in the media
About Spamhaus
Spamhaus Official Statements
Article Information

Permanent link to this news article:
Problems seen in transactional messages
http://www.spamhaus.org/news/article/692/problems-seen-in-transactional-messages

Subscribe to RSS News Feed
Spamhaus News Quotes

Permission to quote from or reproduce Spamhaus News articles is granted automatically providing you state the source as Spamhaus and link to the news record.
© 1998-2014 The Spamhaus Project Ltd. All rights reserved.
Legal  |  Privacy