news
The DMA kicks spam up a notch
Spamming is always bad, but it is just plain foolish to spam addresses at spamhaus.org. While Spamhaus SBL listings are based on much wider views of spam than our own mailboxes, our mailboxes can tell us what we should look for. So when over the weekend the U.S. Direct Marketing Association (DMA) decided to spam, it would have been wiser to leave Spamhaus founder Steve Linford's email address off the list.
Below is copy of the email headers from this spam:
Return-Path: <Information@email-dma.org>
Delivered-To: <{Personal.Address}@spamhaus.org>
Received: by mail-qc0-f181.google.com with SMTP id w4so2931323qcr.26
for <{Personal.Address}@spamhaus.org>; Sat, 26 Oct 2013 09:18:10
-0700 (PDT)
X-Received: by 10.229.73.6 with SMTP id o6mr18353639qcj.2.1382804290687;
Sat, 26 Oct 2013 09:18:10 -0700 (PDT)
X-Received: by 10.229.73.6 with SMTP id o6mr18353611qcj.2.1382804290249;
Sat, 26 Oct 2013 09:18:10 -0700 (PDT)
Received: from outbound3.email-dmamarketing.com (outbound3.email-dmamarketing.com.
[97.107.23.193])
by mx.google.com with ESMTP id di8si5827468qeb.48.2013.10.26.09.18.09
for <{Personal.Address}@spamhaus.org>;
Sat, 26 Oct 2013 09:18:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of Information@email-dma.org designates
97.107.23.193 as permitted sender) client-ip=97.107.23.193;
Authentication-Results: mx.google.com;
spf=pass (google.com: domain of Information@email-dma.org designates
97.107.23.193 as permitted sender) smtp.mail=Information@email-dma.org;
dkim=pass header.i=@email-dma.org;
dmarc=pass (p=NONE dis=NONE) header.from=email-dma.org
DKIM-Signature: v=1; a=rsa-sha1; d=email-dma.org; s=ym1024; c=relaxed/simple;
q=dns/txt; i=@email-dma.org; t=1382803973;
h=From:Subject:Date:To:MIME-Version:Content-Type;
bh=NbCmd56syevXaRGXfyKPbhTMZj8=;
b=kInv8J64kxmYEZs5l8ukbmq1J57sK3yxgssEa4OfxAuyN7FE8xU2MdYNy3eze1k6
Ew5F00SO+oqH4gG7DGWhn5QBxVMO9lZRiQOzARDuGyyMnMGprliVT5MfmCe1yUTu
ak2f5Oai5E6clQE0mhwXovt5UeVdCmBa4HezCWmtFrU=;
DomainKey-Signature: q=dns; a=rsa-sha1; c=nofws;
s=ym1024; d=email-dma.org;
h=Date:From:Subject:To:X-Header-Versions:X-Header-
CompanyDBUserName:List-Unsubscribe:Message-ID:X-Vitals:Reply-To:X-Header-MasterId:
MIME-Version:Content-Type;
b=izMYsqD+jhmMzcX/FAI4wa6HSAszhUia+GfB0Ufn4FjMna8kNwV2CqEja0stMvTl
74NBLU302qbZYarWw4bn8lyTOvwnk1gMAjl4xUC/AU52P4UHvqsg8qKsQQJk1glv
vlEgz0r9QaQ7d1RpzngeSScNPp1KraDOgDakmZS+ytk=
Date: Sat, 26 Oct 2013 09:12:52 PDT
**From: "DMA Career Center" <Information@email-dma.org>
Subject: Kick It Up A Notch With The DMA Career Center
To: {Personal.Address}@spamhaus.org**
X-Header-Versions: DMACareerCenter.VERP-code.123@email-dma.org
X-Header-CompanyDBUserName: dmamarketing
List-Unsubscribe: <mailto:dmamarketingVERP-code.123@email-dma.org?subject=unsubscribe>
Message-ID: <DMACareerCenter.VERP-code.123@email-dma.org>
X-Vitals: 1.115863.735214.1504285.11.45ce
Reply-To: DMACareerCenter.VERP-code.123@email-dma.org
X-Header-MasterId: 1504285
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="==========_ALT_1451519089_====="
Once we saw that spam and knew to look, Spamhaus investigators were quickly able to identify many other spamtrap addresses which also received the same spam, both spamtraps that belong to Spamhaus and spamtraps that belong to independent researchers on multiple networks. We also heard from from several prominent anti-spam researchers, who also received this same spam at their personal email addresses. Given the number and diversity of the spamtraps that received this spam, we are 100% confident that the DMA also spammed a very large number of active user mailboxes.
In response to the DMA spam, we created these SBL listings:
Kick it up a notch indeed!
If you know how to read email headers, you can verify the source of the DMA spam from the headers posted above, or (quite possibly with this spam) from the copy that you received at your own email address. The DMA sent this spam through Yesmail, a large email service provider (ESP) which, like any ESP, sometimes has customers that import a purchased or email appended list. Yesmail followed many ESP best practices to send this email. It registered domains to be used strictly to send bulk marketing email, and properly identified both the domains (email-dma.org and email-dmamarketing.com) and the sending IP addresses (97.107.23.191-97.107.23.194) in the headers, and appropriate DMARC records in DNS. In other words, Yesmail took responsibility for its network. We have no doubt that Yesmail will have some robust conversations with the DMA regarding their list, which was probably recently acquired because any previous attempts to send email to that list would most certainly have drawn our attention.
Although the spam was sent from Yesmail IP addresses and uses Yesmail-registered domains, it is clear that the decision to spam was made not by Yesmail but by the DMA. First, the spam advertises the DMA Career Center. Second, embedded in the HMTL of the spam message are URLs for images ("creatives", in marketing terms) that are hosted on thedma.org and the-dma.org, which (as the following Whois records show) belong not to Yesmail but to the DMA:
whois.publicinterestregistry.net
Domain Name:THEDMA.ORG
Created On:16-Dec-1998 05:00:00 UTC
Last Updated On:23-Oct-2013 20:15:14 UTC
Expiration Date:15-Dec-2014 05:00:00 UTC
Sponsoring Registrar:Network Solutions, LLC (R63-LROR)
Status:CLIENT TRANSFER PROHIBITED
Status:RENEWPERIOD
Registrant ID:19732466-NSI
Registrant Name:Direct Marketing Association
Registrant Organization:Direct Marketing Association
Registrant Street1:1120 Ave of the Americas
Registrant City:New York
Registrant State/Province:NY
Registrant Postal Code:10036
Registrant Country:US
...and...
whois.publicinterestregistry.net
Domain Name:THE-DMA.ORG
Created On:29-Aug-1995 04:00:00 UTC
Last Updated On:02-Jul-2013 18:37:36 UTC
Expiration Date:28-Aug-2015 04:00:00 UTC
Sponsoring Registrar:Network Solutions, LLC (R63-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:19732466-NSI
Registrant Name:Direct Marketing Association
Registrant Organization:Direct Marketing Association
Registrant Street1:1120 Ave of the Americas
Registrant City:New York
Registrant State/Province:NY
Adding the pink icing to the spam cake, the DMA's "CAN-SPAM compliant" identification at the foot of the message contained a remarkably non-transparent blob of code that requires the spam victim to click a tagged URL to read the DMA's privacy statement.
In other words, the DMA requires that the spam victim confirm that they read the spam email just so that they can find out what the DMA's policy is on the use of their personal information. Of course, no knowledgeable and careful spam victim clicks tagged links in email that they did not ask to receive.
While the CAN-SPAM link attempts to conform to American laws, the spam was also sent to users in many other countries where tracking of users without each user's consent is strictly forbidden. Included in the HTML of the spam are tagged URLs: URLs that are different for each email address that was spammed. A user whose email program fetches and renders images when email is opened will also automatically confirm that they received and opened the DMA's spam message without any notification to the user. Some of the images are single-pixel images, often called a "web bug," and others have long strings which appear to be unique identifiers, another form of identifier that is usually called a web beacon. The use of web bugs, web beacons, or other techniques that confirm receipt of a message without the recipient's active consent and participation is illegal in the European Union. The nine-year-old European Commission privacy document contains all the basic rules for sending bulk email to users in the E.U.. This document states that use of purchased lists of email addresses is illegal, discusses the implications of European data privacy laws for bulk email, and covers other useful topics.
As we have said for years in our Marketing FAQ:
"Unfortunately the US Direct Marketing Association wrongly advises DMA members that the sending of unsolicited bulk email (AKA spam) is an 'acceptable marketing practice'. This extremely bad advice by the DMA has tricked many DMA members into spamming and consequently damaged the communications and reputations of companies who believed they were following correct advice."
Only the U.S. DMA gives this particular (poor) advice; other DMAs in other countries are wiser:
"It must be stressed that this bad and irresponsible advice is given out only by the American DMA and is contrary to the correct advice of other international DMA organizations including the Australian, Canadian and European DMAs, all of which endorse opt-in policies only."
Had the DMA adopted the "opt-in only" position of its international partners, it would never have created the unnecessary Email Marketing Preference Service (e-MPS). This service and others like it ask email recipients to opt-out if they do not want to receive unsolicited bulk email. Such services are ill-advised, usually poorly executed, in many cases outright fraudulent, and utterly ineffective at preventing spam and abuse. For more on this subject, see our page on Spam "Unsubscribe" Services.
Earlier this year we had a Q&A exchange with the Magill Report. One of the questions was, "Could Spamhaus imagine cooperating with the DMA, and if so, what would that look like?" To that we replied (in part), "When the DMA accepts that unsolicited bulk email is a plague and stands solidly behind anti-spam best practices, then we'll be in cooperation." We trust that this goes without saying but -- just to be clear -- we would expect the DMA to practice what it preached in that case, and to completely stop promoting or using opt-out lists and opt-out email practices.
Isn't it high time that the U.S. DMA joined the rest of the world's DMA organizations, and the rest of the civilized Internet, in renouncing Unsolicited Bulk Email (UBE)?