NoSpam

I have had an email address for over a quarter of a century. Longer than I’ve had a cell phone and almost longer than I’ve had a car. The progression is as follows:

CompuServe -> Prodigy -> AOL -> [Regional Providers] -> Aloyts.[com,org,net, et al.].

I use different domains to host with different clouds and before the birth of cloud, all kinds of other hosts. .COM might point to Office 365 whereas .ORG might route to Google Apps. Back in the day, I used to host my own SendMail and then Exchange boxes but this headache is only cost-effective it if you have a lot of users. At least one of whom is an admin.  

I am a little older-fashion and prefer the hierarchy of a folder structure (Outlook/O365) to the chaos of the Google “Labels”. Even though I understand the technical advantage of storing mail in a “heap” and just using attributes to search it, I have every single email sent and received since 1996. How long, do you imagine, does it take to search when using a portable? Or worse: a phone? I can navigate my hierarchy in seconds. Provided I remember it. But that’s another matter…

Anyway, I developed what I thought, at the time, a unique way to organize my mails. Before I register for ANYTHING, I create [VENDOR-NAME]@aloyts.com then create a rule to look for VENDOR-NAME in the email header. This way the vendor gets a separate destination folder with only its own threads. No sorting through irrelevance to find that one email from a week ago. It also offers me the added benefit of knowing exactly who sold my name to whom. If I get an email to VENDOR-NAME@aloyts from someone other than VENDOR, guess what? This doesn’t happen nearly as often as it used to since companies started actually guarding their customer data but before the days of SPAM-based black-listing, some of my addresses became all but useless.

O365 allows unlimited aliases for my little scheme whereas Google Apps limits alias count to 30. And yet, one of the major advantages of Google Apps over O365, is the ability to have wildcard domains such as *.aloyts.com. I don’t even need to add my [VENDOR-NAME] as alias any more. But wildcard addresses are a liability. EVERYTHING@yourdomain will hit your inbox. Not for the unnerdy. So let me show you how I have maintained my SPAM-count in the single-digits (per month!) despite having this wildcard catch-all.

As exhibit A, I am choosing CallidusCloud, a very persistent spammer that has ignored all reports of all abuse as well as the company that sold them my contact info. Mind you, I do not believe that the failure to unsubscribe is malicious in this case – rather just the consequences of disorganization. CallidusCloud was recently acquired by SAP. Still…from rotten roots come rotten fruits and in their plight to digest their newly purchased toy, SAP deserves a little indigestion. As does OrientDB for selling my email in the first place.

Please NOTE: that I could automate much of this but given the current price of spamming, I actually fear false-positives and want to make sure I’m not reporting things that might be legitimate. Although I do automate most domain and contact lookups I still look at every single mail. Promise!

So…on to CallidusCloud:

Since the domain is hosted with Google Apps, I will be using the browser given that that’s Google’s window-to-the-customer of choice. Outlook is LESS secure they say!! (Perhaps…but the reason they make it hard for you to get your stuff there is not because they care so much about you leaving your device unlocked but because they cannot advertise to you except by way of browser.) Anyway…all of this info can be obtained just as easily (sometimes more easily) using outlook’s views and properties.

[Show Original] from the email menu gets us:


And:

You will need to paste this information (called the “header”) in your spam report. But where to send? The first thing that you see is that OrientdB, a graph database company for whose mails I did, in fact, sign up has sold my info to CallidusCloud and signed me up for newsletters without my consent. Else it would have been callidus@aloyts wouldn’t it have? Chain-of-email-custody kids. Very hard to argue this one. We know what this behavior is called and I hold both parties guilty much in the way you are just as guilty receiving stolen merchandise as you are stealing in the first place.

So…let’s find out where we send said report. If you use a linux distro this part is really easy. Just type: whois [domain-name] and you get:

Unfortunately, for us but very fortunately for the good old spammer, their abuse contact is @GoDaddy. As far as registrars, GoDaddy is quite an enabler of the behavior.

If you have Windows, you will need to install one of theb SysInternals packages to mimic WHOIS lookups. Or, you can use any domain registrar or something like domaintools.com since it’s easy and doesn’t require CAPTCHAs unless you hit them with a bunch of requests. Same abuse info, including registration and pretty in a browser. For those of you who don’t appreciate computing’s manual transmission, none of this command-line crap:

http://whois.domaintools.com/calliduscloud.com

Gives us:

A company with anonymous domain registration is always a red flag. There are reasons to be private but usually it’s just a tool to persist in bad behavior. It has always proven to be a dead-end of sorts. But…another thread to pull is to see who is doing their email. If we’re lucky, it’s another company.

nslookup –type=mx calliduscloud.com

This command works in Windows too! Joy! And you can lookup everything that would appear in a DNS records list for a domain. SOA; A records, CNAMES. Whatever you want.

 

 

Unfortunately, MimeCast is also registered with GoDaddy. AND…to make things even more annoying, they don’t let the contact info propagate to other lookup tools. You have to go to whois.godaddy.com. That’s fine. The price you pay is having to prove you’re human by entering a CAPCHA. Good luck with that. Anyway:

You do get a fresh email address to add to your complaint. At this point, all we’re doing is a spray-and-pray of our own and collecting relevant email addresses to receive our SPAM report. There is one other thing I wish to cover and that is ARIN.net, the American Registry for Internet Numbers. They are the same people who send out notice every year that says you need to update your contact info and keep it current or risk cancellation of your domain. Not sure they ever do but I like to spread my spam-sensitive tentacles to cover the most ground. There are currently 5 regional registries covering the world. They are:

https://en.wikipedia.org/wiki/Regional_Internet_registry

As for mine:

https://whois.arin.net/rest/net/NET-104-130-122-0-1/pft?s=104.130.122.117

Looking up the original IP address (which belongs to mailgun) you see:

 

And since they are hosted at Rackspace (a large provider) and you should definitely include that contact as they are also not likely to endanger their entire network for a single customer and will hopefully force the spammer to take action.

Speaking of large providers, I have been overwhelmingly impressed with Amazon Web Services’ follow-up and general results when abuse is coming from their network. As well as some of the large mail services like MailChimp and ConstantContact. They understand well that the few rotten fruits within their basket will rot the whole and cause them problems. A+ to those folks. But if the traffic comes from somewhere else, or is just someone’s mail-merge, you probably won’t be as lucky. And if it comes from one of the ubiquitous overseas spray-and-pray “recruiters” then I feel for you; however, taking it up with their upstream providers can sometimes get results.

If any contact information on a registered domain is inaccurate or gets a bounce, proceed with the report Arin lets you make. Again, I don’t know if they actually follow through on anything like domain cancellation but my hope is that people who deliberately obfuscate their contact info likely don’t check their spam-trap emails all that often. Who knows…perhaps one day some spammer/obfuscator will lose their domain. (May we all live that long.)

Let’s come back to the chain-of-custody. Remember OrientdB? The graph dB company that sold my info to begin with? Rinse and repeat for them as well. Funny part is that the founder of OrientdB actually lists his gmail on the WHOIS record. But he obviously doesn’t check it often.

 

Wrapping up you have an email that goes out that will look like the below.

 

If my experience is any guide, you won’t have to fight with any particular domain for too long. Luckily, the spammy-stigma is so strong that no one wants to be on the wrong side of a spammer accusation.  CallidusCloud seems to be the last, persistent holdout and hence the name-and-shame.

But before you start accusing me, remember that complaining is a hobby and it could have been much worse. I could have reserved domain names and put up a site with advertising like I do for those who actually cost me money. You know the riotously funny thing about advertising on complaint letters? So far all they match is keywords. They do not (yet) infer the context or the sentiment. All 3 of the below have served their own ads into my complaints about them. I LOVE artificial “intelligence”.

http://www.53nightmare.com

http://www.brevillesucks.com

http://www.lawrys.org

Epilogue:

I have always thought it common courtesy to safeguard the data with which one is entrusted. As a company receiving email addresses, this means don’t sell them! And even as an individual who just got a juicy business card with all kinds of awesome data: use it sparingly.

The “rules” here are far more nebulous than with commercial email but I would like to propose at least some graceful expectations. What I mean when I hand you a business card is for you to launch a personal 1:1 communication. That’s it. NOT your newsletter. Not your status updates. Your Christmas email list. Donation solicitations. Your funnies. Or worse than any aforementioned: membership in your giant BCC list as it’s the logical equivalent of you gathering “your people” and screaming to the room.

Confession: I probably don’t care unless you’ve filtered the information before screaming it and I certainly don’t care to do the filtering job for you. Unless you have personally clicked NEW and typed the email, I promise you that most of your recipients likely feel the same. And the worst part about these types of comms that makes them much more difficult than a commercial emailer? There is no UNSUBSCRIBE! It’s uncomfortable to send a 1:1 to a person you just met to take you off whatever list. So I don’t do it. Instead I flag you and won’t likely ever see another message from you again. Guess what happens if enough of your recipients do the same? Google, Microsoft and likely whatever is your target's mail provider will use the machine learning of your spammy ways and junk ALL of your messages. You probably don't want that. Or do you?