How to keep your organization's mail from being caught in the spam filter

The "This is Spam" button popping up on many service providers' email services can be empowering for a user or potential spam victim. But it can also be the kiss of death for a legitimate business that, with a click of that button, gets falsely labeled as a spammer.

Naiveté, dumb luck, or just plain laziness can stuff your company into the spam can if you're not careful. By making any one of several common mistakes, your company can encounter blocking of its marketing emails, newsletters, or other key customer interactions.

The main theme here is due diligence. "When a legitimate company is accused of spamming something, a lot of the time they've done something stupid," says Richi Jennings, lead analyst for the email security practice at Ferris Research.

Thanks to Jennings and other messaging and spam experts, we've compiled a list of seven of those "stupid" missteps that can lead to your company's email being mislabeled as spam (and some ways to avoid them). Take some time to consider these: Your company's reputation -- and its bottom line -- may depend on it.

And share with us here at Dark Reading any lessons you may have learned as a legit company being falsely accused of spamming. Please post your experiences and opinions on this topic to our message board, rather than using email. We wouldn't want you to get spam-filtered.

1. Ignoring "unsubscribe" requests.

This may sound like a no-brainer, but if you don't stay on top of your "unsubscribe" requests, you might get an unwanted surprise from a frustrated user who gets your newsletter once too often -- getting dropped into the spam bucket of his or her email service.

Think of this oversight as good housekeeping. "This is list management -- do you know who you are sending mail to, and do they really want it?" says Ross Fubini, senior director of development for Symantec. "Also, where did you build or buy that list from, and did these people want to get that email?"

Jennings says companies should be sure their "unsubscribe" links are really working. "If your link is nonfunctional and goes to a 404 page, this is stupid and likely to get you a reputation of being a spammer," he says. "It's also illegal in the U.S. and other countries. You must honor 'unsubscribe' requests by law."

Instead of going through the unsubscribe process, some users sign up for a newsletter, then later change their minds and use the "This is Spam" button as a shortcut. This adds stigma to your company's name, and the spam filter may later assign the same rule to other users, catching your newsletter in the service provider's filter. "With AOL, Google's Gmail, and Hotmail, this can be a problem" with the learning filter, he says.

What can you do? AOL lets bulk email senders register for a "feedback" loop. "So if a subscriber hits 'This is Spam' and you're a legitimate company, AOL will tell you that you are receiving spam complaints," Jennings says. The loop also shows where the users' messages came from, so you can unsubscribe them.

Hotmail, meanwhile, offers both a "This is Spam" and an "unsubscribe" button option to avoid the mistaken spammer problem. It requires you to code newsletters or other mail with special headers so that Hotmail can add buttons to your messages, Jennings says.

2. List "repurposing."

It's the oldest trick in the book. A user signs up for a company's email updates or newsletter and suddenly starts receiving unsolicited mail from another source.

"The company says 'we've got this new newsletter and thought you might be interested,' and you can opt out, of course," Jennings says. "But that's frowned upon and likely to get you a reputation as a spammer."

To avoid getting labeled, the key is to provide the recipient with an option to receive a new newsletter or mailing, rather than just sending it through -- click here and sign up. "You need to give people an option to opt in to new things, rather than a default 'opt out.'"

Recycling customer email lists may be handy to the marketing department, but it could hurt your business in the end. And sharing addresses with your sister company counts, too, Jennings says. "That’s almost like selling your list, but selling it within your company," he says. "It's not what the customer originally signed up for."

Symantec's Fubini says he's seen cases where a company builds up a mailing list for one product and decides to just apply that mailing list to a new, unrelated product, which can cause problems. You have to ask whether the customer really wants to hear about this second product, he says.

"If a company is using my email address for a marketing campaign for hiking boots and then starts reusing it to sell skis from a different brand, it looks like spam to me," he says.

"If they signed up to hear about all of your sales in the Christmas season, then it's legitimate," he says. "You have to be honest about managing the email list you have... So you're ultimately delivering mail to people who want to hear your message."

3. Providing unclear privacy checkbox instructions, and ignoring users' responses.

This goes back to the honesty thing: "Be really up front with people, so they can [easily] click that 'opt-out' box," Fubini says.

If a box is pre-checked to opt in, that may appear suspicious and unprofessional. Ferris Group's Jennings says expecting the user to uncheck the box if they don't want to receive your mailings is a sketchy area: "In Europe, you must give informed consent. If [the sender has] pre-checked the subscription checkbox, that's not informed consent."

And if the opt-out instructions are confusing or unclear, you could turn users off -- and potentially get into hot water. "If people look at that wording, they may think you are shady. If they think they've already unsubscribed [by unsuccessfully following the confusing directions], they may report you as a spammer" when they get your newsletter, Jennings says.

"You're so much better off being honest and losing a couple of people who are vigilant about managing their inboxes than you would be creating a lot of bad will and customers reporting you as spam," Fubini says.

4. Losing track of internal desktop and server machines that can be used against you.

Andrew Lee, chief research officer for Eset, says he recently conducted an audit for a client and found an infected machine sitting under some tables in the janitor's broom closet. It was pumping out thousands of IP scans per minute. "No one had any idea it was there, or why it was there, and by the age of the hardware, it had been there a very long time," he says. "It's very hard to get free of the taint of being a spammer, or being associated with an IP that is on a lot of block lists. And it can be really hard to clean that up."

Lee recommends instituting strong policies and good accounting of your servers, desktops, and other computing resources -- and their configurations. "It's amazing how many companies have servers and desktops that they know nothing about... that someone set up for some reason, and then forgot about."

And be sure any desktop machines that store your customers' email addresses don't get infected themselves. "If a user from a legitimate sender downloads a list of subscribers onto his PC -- and the PC has been infected with a Trojan or viruses looking on your hard disk for email addresses and then sending them back to a spam list -- that can get you into lot of trouble," Jennings says.

5. Not keeping databases and address lists up to date.

It's not enough to keep close tabs on the desktops and servers that house your mailing lists. You should be careful when you reuse an old mailing list.

An older mailing list may not have the updated "opt out" information on your customers, Fubini says. "You need to test your 'opt out' process -- validate it by signing up for it and opting out to see if it works," he says. "It's due diligence on your own processes."

If your company is growing through acquisitions and new databases are cropping up, synchronization can be dicey, Jennings says. A customer may have opted out of all of your mailings, but the removal might only be recorded in one database. The customer's reaction: "You didn't respond to my unsubscribe question, therefore you are a spammer," he says.

And if your company is reported to Spamcop or another spam reporting service, be sure to follow up on any spam reports. You can set up an abuse email "alias" with an ISP to keep track of any spam complaints against your company.

"Act on them immediately by unsubscribing users [who request it] and list-washing," Jennings says. "Ask how it is that we are suddenly receiving complaints about the newsletter... What's causing people to say this is spam? Is this because of mission creep? What have we done?"

6. Having vulnerable mailer forms on your Website.

SMTP relay-driven spam is not as common today -- botnets push most spam -- but if you have a mailer form on your Website that is vulnerable to an open relay, an old-school spammer could use this to shoot his mail through, notes Eset's Lee. "This is much less common now. But it still happens, particularly in smaller businesses where there is less expertise in the organization."

Be sure to restrict the exposure of your own users' email addresses on the Web, he says. Industrial espionage often begins by sending to a potential victim's domain a huge number of messages with different names, to see what bounces or responds, Lee says. "By this, the attacker can work out what addresses exist inside the organization and start to target individuals."

"It's wise to make a pool of addresses that are the only ones ever published outside of the organization. This can also help to reduce the spam coming in, as those particular addresses can be singled out for filtering."

If your email addresses are available via the Web, spammers can use them as spoofed addresses in their spam runs, he says, which puts the spam blame on your organization. "This is unavoidable in some ways, but it can be restricted to a few addresses."

7. Working with non-reputable third-party mailers.

Careful who you entrust your mailings to: Some providers can be disreputable, notes Ferris's Jennings. They may be sending your newsletter to users who are not interested in it -- and you could get slammed as a spammer by proxy. "Those users don’t want to receive your newsletter, and they will label you as a spammer," he says. "Be really careful who you contract" with.

One way to tell if you've chosen a good outsourcing service is to be sure these firms practice the same policies as you -- checking email addresses and maintaining clean databases, says Eset's Lee. "Unfortunately, even legitimate companies that have no intention of spamming have been caught outsourcing their [email] advertising to companies which are less than scrupulous."

The warning signs? "If a deal is too good and the price is too right," says Symantec's Fubini. "You have to really ask them questions about their business -- where do they get their email lists, and ask to see their 'opt out' page."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights