Barack Obama: When the Same Email is Both Solicited and Spam

The re-election campaign of U.S. President Barack Obama sent a bulk email today to two email addresses of mine. One of those email addresses was subscribed to that list by me a couple of months ago, so that I could keep current on election news. (During campaign seasons I usually subscribe an email address to most candidates’ lists to see what they have to say, and how they handle their lists.) The other is a spamtrap that, if it ever belonged to a real person, was closed no later than 2005. Both of these emails were sent from the same IP and are otherwise identical. The ESP is Blue State Digital.

This incident illustrates a problem that blacklists and reputation services face almost constantly: what to do when the same email from the same sender is both solicited and even wanted in some cases, but unsolicited and spam in others. Despite what many marketers and senders of bulk advertising email might think, the people working at most widely-used blacklists and reputation services don’t want to block email that a user asked to receive. They find it extremely frustrating when a business, or a non-profit organization, or a political campaign sends bulk advertising email to both legitimate subscribers and spamtraps. Should they block the spam, even though some of the email was requested? Or should they not block it, even though some of the email (often a significant amount) is spam?

Fortunately, I don’t have to make that decision. Unfortunately, unless my spamtrap is the only non-opted-in email address on President Obama’s campaign list (which I do not believe for a minute), other people will have to make that decision. That strikes me as poor strategy by those in his campaign who manage this email list, and who presumably want his supporters to receive this email. And a number of other political campaigns — for candidates whose politics span the U.S. political spectrum — are making the same mistake.

Sending IP: 69.25.74.172

Spam Sample:

Actual Headers:

Received: from mta-inap6.bluestatedigital.com (mta-inap6.bluestatedigital.com [69.25.74.172])
        by <xxx> (Postfix) with ESMTP id <xxx>
        for <xxx>; Tue, 21 Feb 2012 11:xx:xx -0600 (CST)
Received: by mta-inap6.bluestatedigital.com (Postfix, from userid 507)
        id <xxx>; Tue, 21 Feb 2012 12:xx:xx -0500 (EST)
DKIM-Signature: <xxx>
Received: from maillist-o
        by bounce.bluestatedigital.com with local (PHPMailer);
        Tue, 21 Feb 2012 12:xx:xx -0500
Date: Tue, 21 Feb 2012 12:xx:xx -0500
To: <xxx>
From: Barack Obama <info@barackobama.com>
Reply-to: info@barackobama.com
Subject: This seat is yours
Message-ID: <<xxx>@bounce.bluestatedigital.com>
X-Priority: 3
X-Mailer: PHPMailer [version 1.71-blue_mailer]
X-maillist-id: <xxx>
X-maillist-guid: <xxx>
List-Unsubscribe: <https://my.barackobama.com/unsubscribe?email=<xxx>>
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="<xxx>"

Readable Email:

From: Barack Obama <info@barackobama.com>
To: <spamtrap>
Subject: This seat is yours
Reply-to: info@barackobama.com

Friend —

Tomorrow night, we’ll pick the first of four supporters who will sit down with me for dinner.

I’m hoping you’ll take me up on the invitation.

Donate $3 or whatever you can today to be automatically entered for the chance to be my first dinner guest:

https://donate.barackobama.com/The-First-Guest

These meals are one simple thing that sets this campaign apart. The seats at our table don’t belong to any Washington lobbyist or powerful interest.

These seats are yours.

Donate $3 or more today and be automatically entered to win:

https://donate.barackobama.com/The-First-Guest

Hope to see you,

Barack

<removed>

———————————————————————
Paid for by Obama for America

Contributions or gifts to Obama for America are not tax deductible

This email was sent to: <xxx>
To update your address, go to:
http://www.barackobama.com/change-address?<xxx>
To unsubscribe, go to: http://my.barackobama.com/unsubscription

21 Responses to Barack Obama: When the Same Email is Both Solicited and Spam

  1. We are investigating this…

    Thanks for bringing this to our attention!

    • You’re up early. ๐Ÿ™‚ I’m glad to hear that you’re on the case.

      One bit of possibly useful information — Obama’s campaign is not confirming subscriptions to their list from their web site. You just put in your address, and it’s added to their list with no further ado. I know because I subscribed to the list that way.

      I don’t know what they do behind the scenes, of course, but not confirming web subscriptions means that a typoed email address is likely to end up on the list without being corrected. So is any email address, such as a known spamtrap, put in by a third party whose intentions might not be good. This spamtrap isn’t a known spamtrap, but it could still have ended up on Obama’s list if some opponent wrote a script to “feed” a known dirty list to his web site.

      Or, of course, somebody who works for his campaign might have purchased a list. Since political spam isn’t regulated by CAN-SPAM, a lot of campaign managers seem to think that anything they do is OK. This year that attitude is likely to be counterproductive, if not outright dangerous to deliverability.

  2. This mailing was sent to one of my spamtraps as well. Apparently somebody on Obama’s team thinks that people in the UK are willing to pay for a chance to dine with him. And I might have done, but not in response to spam.

  3. Tom,

    Thanks for letting us know about the scope of this problem.

    Do you have the date of the mailing?

    This will help us isolate a specific list /upload for this client

    Thanks!

  4. Tom,

    Could you post redacted headers for the message that you received..

  5. It looks like the same mailing and was sent on the same date. Headers are below.

    Received: from <redacted> (EHLO mta-inap6.bluestatedigital.com) (69.25.74.172)
      by <redacted> with SMTP; Tue, 21 Feb 2012 <redacted> +0000
    Received: by mta-inap6.bluestatedigital.com (Postfix, from userid 507)
            id <redacted>; Tue, 21 Feb 2012 <redacted> +0000
    DKIM-Signature: <redacted>
    Received: from maillist-o
            by bounce.bluestatedigital.com with local (PHPMailer);
            Tue, 21 Feb 2012 <redacted> +0000
    Date: Tue, 21 Feb 2012 <redacted> +0000
    To: <redacted>
    From: Barack Obama <info@barackobama.com>
    Reply-to: <info@barackobama.com>
    Subject: This seat is yours
    Message-ID: <<redacted>@bounce.bluestatedigital.com>
    X-Priority: 3
    X-Mailer: PHPMailer [version 1.71-blue_mailer]
    X-maillist-id: <redacted>
    X-maillist-guid: <redacted>
    List-Unsubscribe: https://my.barackobama.com/unsubscribe?<redacted>
    MIME-Version: 1.0
    Content-Type: multipart/alternative;
            boundary="<redacted>"
    Content-Length: <redacted>
    
  6. Tom,

    Can you also post the message body for the one you received?

    There were multiple rcpt lists involved in the mailing for that time frame and Subject

    Thanks!

  7. And the redacted message bodies could be different depending on the recipient list

  8. Interesting…. The mailings from Blue State Digital/barackobama.com are continuing, from a new IP today. Both that new IP *and* the IP for the URL/host my.barackobama.com (70.42.50.159) are now listed in the NJABL, a small blacklist that has a reputation for accuracy and fairly conservative listing policies.

    Blueman, are you mailing different parts of the Obama campaign list from different IPs to investigate which parts of their list has problems?

    Tom, did they hit your spamtrap today?

  9. SpamBouncer,

    We absolutely do NOT rotate IPs on client mailings..

    We maintain a core set of IPs that handle all client mailings.. these can all be verified with DNS… we have worked hard at establishing decent reputations for them all (SenderScore, etc..)

    Obama has (to put it plainly) a very large constituent list.. much segmentation, etc.. we have been investigating the earlier report… but need a 2nd data point (Tom Mortimer’s message body) to properly pinpoint and isolate the problem segment /list..

    ps: we have had some rather unsavory dealings with NJABL. We find them hardly conservative.. and prone to false positives

  10. For a complete list of our sending IPs:

    dig TXT bluestatedigital.com

    and follow the ‘includes’…

  11. SpamBouncer,

    We have isolated 2 suspect segments. Both of which have unique sources. I would like to forward the 2 possible sources in whatever format is acceptable. The total recipient counts for these particular segments is a bit over 11,000 addresses.

    We are not looking to identify the actual addresses, just the source, so it can be dropped.

  12. Please forward to mainsleaze@spambouncer.org, and I’ll check them for my spamtrap. (Don’t forget that one of the two emails that I received was solicited — I won’t include that email address in my check.) With your permission, I’ll ping Tom as well. (He only monitors the MainSleaze site periodically.) Let me know when you forward these emails whether I should send them to him, or you would prefer to do it yourself.

  13. Great,

    If Tom can check as well, that would ensure the source is completely dropped. You have our consent.

    I will let you know when we send it

    • Catherine told me I had comments waiting. My apologies for not responding sooner. I normally check this site only once or twice a week.

      I just reviewed the list of suspect email addresses that you sent to her. My spamtrap was on that list. (Since it isn’t a spamtrap seconded to Spamhaus, I can tell you that.) Do you still need a redacted message body?

  14. SpamBouncer,

    Email and list has been sent to mainsleaze@spambouncer.org

  15. Unfortunately the spamtrap hits continue, along with the email to the email address that requested that email. The latest was yesterday, March 1, from “Julianna Smoot, BarackObama.com”.

    • SpamBouncer,

      I just sent you an update via email.

      • Got it, and just responded.

        Everyone — blueman and I are discussing possible security problems with this list, a discussion that is both orthogonal to the point of this blog and best held in private. ๐Ÿ™‚ I’ll summarize once we’ve reached some sort of conclusion.

        To reiterate what the blog was about, though, a single bulk email list can contain both opted in, fully legitimate email addresses and spamtraps if the list owners purchase lists, or if that list accepts subscriptions from non-confirming web forms or other non-vetted sources.

        The Obama re-election campaign has a non-confirming subscription process. A malicious subscriber could and likely did feed it some email addresses that did not ask for its email. If that can happen to the Obama campaign, it can happen to you. *Don’t* be careless with your email acquisition practices ESPECIALLY if you’re a political campaign or activist whose cause might attract attention from unethical opponents!

        As for those companies or organizations that try to slip purchased or epended lists into their legitimately gathered lists, and send the same bulk email to both from the same IPs, you are absolutely asking to have those IPs blocked. You are likely also to end up with a reputation for spamming, which will impact your ability to send bulk email even to those who asked for it. Remember the old Russian story of Peter and the Wolf? If you hit spamtraps repeatedly, nobody is going to believe you when you claim email was asked for, even when you’re telling the truth.

  16. Unfortunately the discussion ended a month or so ago, after I was asked to “validate” a list of email addresses that consisted mostly of .EDU, .GOV, and .MIL addresses. As Blue State Digital knows, but many of you may not, domains in those TLDs are handed out only to qualifying entities, and email addresses at those domains are closely held. Such email addresses would not normally appear in a spamtrap collection owned by an individual. That meant that the small number of other email addresses on the list was too small for me to verify anything without exposing a spamtrap.

    I was not pleased about this, and told Blue State Digital so. I could not see this having been other than deliberate. :/ I did not hear back from them again.

    Since then, the Obama administration spamtrap hits have continued, along with the email to the subscribed address. I haven’t seen any email from the Obama campaign to additional spamtraps, however, so the problem has not grown. I hope that those responsible for managing this mailing list have at least instituted some security procedures to prevent forged subscriptions. :/

  17. Pingback: A Tale of Two Presidential Campaigns…. » MainSleaze

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go back to top