Spamhaus’ take on Cold Emailing…AKA spam

What cold email really is (and isn’t)

As the name suggests, “cold email” is a spin on the term “cold call,” a practice that predates email. In both cases, the word “cold” directly indicates that the person being contacted has no prior relationship with the initiator. This is in contrast to a warm or hot lead, where some level of interest already exists.

By definition cold emailing is the practice of sending unsolicited emails to individuals or businesses with whom you have no prior relationship, typically for professional purposes.

But the fact that an email is unsolicited doesn’t automatically make it spam. There can be legitimate, one-to-one messages sent between two people with no previous connection. The problem begins when “cold emailing” becomes automated, scaled, and sent in bulk. This is when it crosses the line from a personal message to spam.

This practice of cold emailing often tries to bypass anti-spam laws, by leveraging personalization and claiming "legitimate interest”. Or falsely identifying as transactional because they are sent “one-to-one”. But cold emails are not transactional. There’s no existing business relationship, no transaction, and certainly no confirmed opt-in (COI). So what is it, exactly?

Cold Email vs. Spam

From our perspective, it’s simple: it’s spam. Let’s take a look at a definition.

Spam as defined in Spamhaus’ FAQ, notes that all email sent unsolicited and in bulk is "spam". Spamhaus uses the industry standard definition "Unsolicited Bulk Email" which underlines that "it's not about content, it's about consent", where:

Unsolicited means that the recipient has not granted verifiable permission for the message to be sent.

Bulk means that the message is sent as part of a larger batch of messages, all having substantively identical content.

By definition, there is no difference between cold email and spam - no consent, no commercial relationship, and often some form of bulk (automated) delivery.

Here’s some examples of what we’re seeing

Spamhaus has observed a rise in businesses using the cold email approach to send irrelevant email to large audiences. The addresses are often acquired through dubious approaches such as scraping LinkedIn and then using that information to do email appending.

Content creation is done via Language Learning Models (LLMs) to quickly iterate on the same basic message, resulting in emails with different wording. Using large sets of throwaway domains that closely resemble the main business domain name, the emails are then sent through legitimate services, including Microsoft Outlook and Google Apps.

Here is a sample cold email, in this case using the domain: thewandr.click

What’s fuelling the growth of cold outreach emails?

Introducing: The Enablers. There's been a serious growth of cold outreach platforms in the last decade, many of which enable spam.

Typical modus operandi for such spam enabling operations include, but aren't limited to:

• Buying email addresses in bulk or scraping contacts from social media and business websites, and using email appending to create target lists
• Using warmup tools to spread traffic across multiple platforms
• Using Large Language Models (LLM) and/or Artificial Intelligence (AI) to generate personalized content
• Interacting with emails to fake engagement
• Using platforms which enable bulk creation of domains for the sole purpose of soliciting prospects (and evading filters)
• Misusing the free tier of sending platforms and cloud providers

A growing number of businesses use email scrapers, warm-up tools, fake engagement services, and cousin domains, all under the guise of legitimate outreach.

These messages are highly irrelevant with the same templates being duplicated and sent at scale with no intention of defining legitimate business interest. Scraping tools are particularly useful for extracting decision makers from business networking platforms or to auto-complete email addresses based on Personally Identifiable Information (PII).

We predict that this form of spam is only going to increase with the rise in use of AI and LLM, to target large cohorts with even greater precision and volume.

Legal doesn’t mean ethical

Cold emailing originally involved sending tailored content to carefully selected individuals with a legitimate business interest, while being honest about the intent. There are cases of legitimate interest where businesses can reach out to prospective customers but they should always follow email best practices.

CAN-SPAM and GDPR have not fully evolved guidelines on B2B email communication and this grey area is being exploited by Cold Email spammers. The usage of bulk sending tools, mass acquisition of domains for the purpose of deceiving recipients and faking engagement are highly unethical though they might be following the current email guidelines.

Our recommendations

Spamhaus considers both the users and enablers of any of the above practices, with the intention of increasing prospects, to be engaging in spam. We recommend that platforms enabling bulk email sending, prohibits this type of activity in their Acceptable Usage Policy (AUP) guidelines and implements a strict enforcement policy.

As with other forms of spam, permission is not transferrable. Platforms should ensure that their users can provide clear evidence of consent to demonstrate a legitimate business interest. As with our existing listing policies, Spamhaus will assess Cold Outreach Email sent in bulk and hitting our spamtraps as candidates for listing.

We're actively contributing to the upcoming “M3AAWG Position on Cold Email”, a collaborative effort to define best practices and address the risks associated with this unsolicited outreach - keep an eye out for updates!