Hacker News new | past | comments | ask | show | jobs | submit login

I receive cryptocurrency & ICO spam sent via mailchimp several times a week and usually report it right away. Few weeks ago I called out the CEO of a blockchain company and demanded to know how they got my email since clearly I had no relation with them before. They admitted to have bought a list of addresses from another party where my email was part of the dump. After reporting this I still kept getting spam though. This morning another firm spammed me via MailChimp and despite Mailchimp's claims that they've cracked down on it no statement or apology from them, and I even got the impression that they were looking at me like I'm somehow overly pedantic ... (I was pretty pissed so my reply wasn't as friendly as it could have been): https://twitter.com/ValbonneConsult/status/98149715690437427...

The basic problem seems to me MailChimp's assumption that people only upload address lists from users they have consent from, when in reality everyone just uploads their LinkedIn address books and hopes not too many will press the "report" button. I am seriously fed up with Mailchimp not taking any actual action against these users after I already told them that I don't consent to receiving any messages about any topic from anybody via their platform. MailChimp should add a feature IMO where if somebody uploads an email address of people opting out that this person will be blacklisted from further using MailChimp.

> assumption that people only upload address lists from users they have consent from

It's not an assumption, it's a core of e-mail marketing business. They can't really ask for consent to receive marketing e-mails, because they can't get much consent for this. So the whole thing relies on people being tricked into giving away e-mail addresses, unknowingly consenting to e-mail marketing, being lazy to fight unsubscribing bureaucracy, etc.

There’s no unsubscribe policy that would get your address out of a “100000 Java developers emails” dump sold freely on the internet.

The tech community has an incredible disconnect with the marketing community here. We all assume buying dumps of email addresses is a bad thing, we all hate it, we all think people are working with us to stamp out the practice.

I have friends in sales in other businesses to who look at their entire job as being "buy Google ads, buy Facebook ads, buy email lists". The idea such a thing might not be ethical is absolutely foreign to them.

I am confused by how anyone who uses email to a significant degree could not understand that unsolicited bulk email is harmful. Sure, modern spam filtering is pretty effective, but any time a significant amount gets through, it becomes very difficult to use your email account for anything practical.

It doesn't take tech expertise to understand this, nor an especially advanced or specialized worldview to understand that breaking things for other people might be ethically questionable.

There's a huge difference between buying ads and straight up buying email lists...

I agree with you, but my whole point is that not everyone does.

Buying dumps of emails ARE a bad thing, even marketers know that.

As both a marketer and a developer, I can say that buying an email dump is NEVER something that I would do, but not its for the ethics of it (we all know marketers have no ethics). I wouldn't buy a list to spam because THAT list isn't MY list.

The hit/conversion rate on a list of random emails, or even semi-qualified emails, that you don't have a relationship with is so incredibly low, that it isn't worth it to spam their inbox, risking my reputation (opens & clicks to spam ratio).

A one percent uptick in spam reports is enough to downgrade my sending IP enough that my real customers would start missing my emails.

Real marketers aren't going to send a automated marketing email to a list of people they don't have a relationship with.

Most of the spam that hits my work email is people offering to sell email lists...

> They admitted to have bought a list of addresses from another party where my email was part of the dump.

This is such a crappy practice for bootstrapping a new email marketing list, few things infuriate me as much as this. If nothing else, it instantly makes me never want to even look at your new product or service regardless of how good it might be.

I added the +coin name to my email when signing up for a crypto-related product years ago, have since seen that redistributed a dozen times for very obscure ICO projects.

The problem with this strategy is that it's trivial to run a script to strip off the +coin from the end.

I have my own domain name, so I've started using address aliases for different things. There's no way that they can get around that.

>There's no way that they can get around that.

unless you use high entropy aliases, there's nothing preventing someone from filtering out all the emails with "uncommon" domains for secondary examination. at that point, you can manually ascertain whether the email address is an alias or not.

    john@example.com       probably a legit address
    bitcoin@example.com    probably an alias
at that point you can either not send to that email, or if you're extra evil, try to frame another company (try sending to amazon@example.com or ethereum@example.com). it's not even that hard to do because 99.9% of people don't use custom email domains.

Email marketing is a numbers game, I doubt anyone is wasting time looking at individual addresses.

And even if a script could easily process addresses in an automated manner, it might be actively harmful to a marketer to do so. People who intentionally use disposable addresses are probably less likely to respond to email marketing and more likely to take actions against the marketer.

It's trivial to write that script, but not any more trivial than just generating lots of common_name@common_domain email addresses. Once you're willing to spam emails that didn't opt-in even to a list that you bought, you've entered into very shady territory.

Email providers should make it easy to create a (temporary) alias. E.g.: x6ab2fe0e@example.com

> MailChimp should add a feature IMO where if somebody uploads an email address of people opting out that this person will be blacklisted from further using MailChimp.

That would be the easiest way to eliminate spam from MailChimp's platform. Also probably the quickest way to eliminate a vast majority of their paying customers.

I‘d even pay for a feature where I would get an email from MailChimp whenever my E-Mail-Address is added to their database.

Unfortunately, not as much as the collective number of people who are willing to pay to send you an email through their platform.

Maybe a Honeypot approach would work here.

I send out a newsletter to customers about once per quarter. All recipients have opted in by actively checking a checkbox.

I'm pretty sure these mail services already monitor unsubscribe rates and spam flags. But there will always be false positives, i. e. legitimate recipients flagging a newsletter because they no longer want to receive it, or because they forgot they agreed.

Spam recipients, on the other hand, may not report these messages often enough. Some just don't bother, others rely on their mail client or company's filters.

That could make it difficult to find a reliable cut-off separating legitimate and spam mail.

The only real solution to this would be for the mail services to handle opt-in procedures. That, however, would effectively lock you in to a single provider, because it'd be suicide to change providers and ask for confirmation from every recipient again.

I don't bother reporting spam on one account. In fact, I created a rule specifically filtering spam to go to my inbox. Pretty much the only people who bother me are those who don't set their dates properly. What I mean is they set their spam to say June 02 on an email sent on February 06 of the same year. I will not hesitate to report any such email as spam. This doesn't happen often but I hope google (or any email provider) punishes such senders severely maybe even blacklist the domain.

Yeah the advice on not clicking unsubscribe or report on spam emails is wrong advice. It doesn't verify your email (other ways to do that easily). But reporting or unsubscribing will often get you off that list.

Turns out it's illegal in the UK to buy email dumps and send everyone newsletters/marketing emails -- you need explicit consent (i.e. opt-in) or a pre-existing relationship.


Given the “(EC Directive)” part I assume this is true across the whole EU.

Yeah it’s illegal to break the speed limit, too. If everybody does it and it’s selectively enforced who cares.

The drivers getting tickets.

I found your response very lacking. Why should everyone abandon care? Obviously some speed and others don't.

> I am seriously fed up with Mailchimp not taking any actual action against these users after I already told them that I don't consent to receiving any messages about any topic from anybody via their platform.

I feel your pain, but it's worth noting that email, by its very design, is intended to be open to receiving unsolicited messages. So frankly, by using email at all you have actually consented to receive unwanted emails from time to time.

I think it's unreasonable to expect MailChimp to maintain a ruthless approach to prevent people from doing something that can be done with any email client, sendmail, or any number of tools that use the open protocol of email.

Things are bad enough as it is with closed and segmented communications methods on the rise. I'm pretty happy that email exists the way that it does, and MailChimp strikes me as a company that really works hard to strike a balance between the competing needs of being useful for sending mass emails while being mindful of spam.

You are factually wrong. You are indeed right that email was designed to be open, but because emails became unusable in that form about 20 years ago, every mail provider have deployed massive spam filters that rejects most unsolicited mails. Hence, currently, email is not open to unwanted emails, one have to go through many holes to arrive to mailboxes where he isn't invited.

The filters are so good, that many people find that they can't even reach people that have asked them to subscribe to their mails, because they are still filtered out as spam. Enter MailChimp, the trusted mass mailer provider that help companies bypass the spam filters by giving their mail a respectable envelope. If they allow spammers their envelope shouldn't be respected. Actually, that's clearly the theme of the OP.

And no, by using email I consented nothing. Where I live that's actually the law - I can sue whoever sends me commercial unsolicited email, unless given explicit permission (opt-in), spammer can be liable for compensation for each and every incident.

I wish I had an inbox as well protected as what you describe but unfortunately - at least half of the non operational emails I receive are solicitation... so it seems pretty open to me...

That's kind of survivors bias. You are not aware to the mass of mail that doesn't appear in your mailbox. When you are in the sending side, you quickly find that you don't reach your audience.

If it was open you would probably be receiving hundreds of them a minute. The filters means many don't even try, but if the required effort was zero we would be flooded with them.

The situation was so bad before the filtering products were invented that Bill Gates tried to push small fees (stamps) as a requirement for sending emails (https://www.cbsnews.com/news/fee-based-e-mail-way-to-can-spa...).

I think it's actually pretty reasonable to expect a company based on doing mass mailouts to accept "do not call" requests from individuals.

Crypterium, by any chance?

I signed up there with crypterium.io@mydomain. Some time after, I start getting blockchain-related spam to that address. I wonder how that happened!

When I pointed out on their Telegram channel that one of two things had happened, a) they sold me, b) they got hacked, I was threatened with a ban. Their fans thought I was a raving lunatic.

I now have a support ticket open. Surprisingly it isn't really going anywhere.

I no longer accept email at crypterium.io@mydomain...

a) Don't use telegram. At least for crypto it's an utter cesspool of maniac mods on a power trip while no one who is really from the company is ever there. b) FWIW, my crypterium email never got any spam.

Every major email provider and sender already does that. That's table stakes, along with a dozen other things, that's required or else your network will be 99% spam (if it gets any kind of volume, that is).

See https://blog.mailchimp.com/where-spam-traps-come-from-and-ho...

What I want to know is how will MailChimp behave after GDPR kicks in? Will they be more drastic in the clamping down offenders as the penalty for GDPR violations can be substantial.

MC likely acts as a data processor on behalf of it's clients - therefore from a GDPR perspective consent requirement rests on their clients which would be data controllers.

that being said - MC and other reputable ESPs have for awhile been much more concerned about consent for deliverability reasons

Processors have plenty of liabilities under the GDPR.


absolutely - but they do not have to ensure that data they process is properly consented - that is the role of the data collector.

Funny story. I actually sat next to a person on my last flight who does this for a living. She indicated they do business for large companies and small ones too.

They are paid on a lead basis. Average lead price is $5-$10. I don’t know many campaigns they run at a time, but I glanced at her laptop and it looked like at least 100 active campaigns.

There is big money in this as such people will pay to get investors.

I asked about her reason for travels. She was actually going to a conference for others in her field.

Mailchimp actually states that list buying is a no go on their platform. They also have a very nice unsubscribe system that they honor - even if the downstream customer doesn't want to.

I'm sorry you've had issues with them. I hope you got a bad rep and they haven't become evil. When I used to do business with them I genuinely felt they wanted to do the right thing.

My understanding and experience is that if you complain about a specific email source, MC will ask them to prove they got your name legitimately. Now, I'm sure this can be faked, but I'm not sure MC is to blame.

After my email was leaked on the bit coin forum dump, I get the same kind of spam via email and also targeted ads on Google and Facebook.

I think about 3 times a week I get emails from a new cryptocurrency upstart that I've never heard of but which is using either the hacked Mt.Gox or BTC-e list.

The practices these people are using are scummy as fuck.

It's possible to block all mail sent through mass mailers like mailchimp and many others like it. Just block by the connecting client address/reverse looked up domain. They don't use that many 2nd level domains. If they're sensible they'll penalize senders for sending to email address that return 5xx errors and drop your address from their lists permanently.

And then you end up losing legitimate mail as well.

Why? Just use different address for the legitimate service and whitelist it. If an address is out there on some spam list, you'll be getting spam to it eventually.

I have different rules for different addresses. Public e-mail adresses and e-mail adresses that are meant for online services. Public ones are permanent and filtered and mailchimp and similar don't get to send mail there. The other type of address is whitelisted and disposable. Everything ends in the same mailbox. Works like a charm.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact