How to Steal Reputation

Posted by J.D. Falk on

by J.D. Falk
Director of Product Strategy, Receiver Services

Much as the term “pre-header” is now locked into email marketing parlance even though what it describes is neither pre- nor header, the term “reputation hijacking” continues to spread through the anti-spam community and the press.

“Reputation hijacking” is intended to describe when a spammer or other bad actor uses someone else’s system — usually one of the large webmail providers — to send their spam. The idea is that in doing so, they’re hijacking the reputation of the webmail provider’s IPs instead of risking the reputation of IPs under their own control. But I really have to laugh (though mostly out of sadness) whenever this technique is described as something new.

The first spam I dealt with, way back in the mid-nineties, was sent by a user on a shell server. So was nearly all of the other spam of that era. Some was sent via Compuserve, AOL, Prodigy, etc., but it was all from what today we’d call an individual end user’s email account.

Then some of the spammers realized they could get dedicated servers — and that worked for a while. The community responded by swapping lists of IP addresses to block, eventually leading to the MAPS RBL and other fairly slow IP blacklists, and the whole battle became whether the spammers could move to new IPs before they got caught. That’s what drove them to botnets in the first place.

But in the meantime, the spammers didn’t stop sending through Hotmail and Yahoo! and other online services — particularly the people who send the advance-fee fraud scams from illusory African governments. Outbound spam was a big and growing problem when I was at Hotmail from 2001 to 2004, and it was even bigger and growing even faster when I was at Yahoo! from 2004 to 2007. Most of the methods these companies and others have used to try to reduce the amount of spam sent by their users is hidden in the background; the most visible response is the “CAPTCHA” image, that series of letters and numbers which you have to type to prove that you’re a human. It has become a common refrain that “CAPTCHA is broken and useless,” but you can’t even imagine how much spam would get through if simple techniques like CAPTCHA weren’t used any more. (Though, to be fair, many CAPTCHA implementations are trivially easy to break.)

Even though the services being abused have changed over time, and the scale has increased, and the rate of change is measured in hours rather than weeks, the core problem described by that silly term “reputation hijacking” is still the same as it was fifteen years ago: the spammers are using other peoples’ servers and reputation when sending spam, and those other people are trying to stop them.


Popular this Month

 Video in Email: Is It Right For Your Business? (Part 1)

Video in Email: Is It Right For Your Business? (Part 1)

Video in email is nothing new. Marketers have been using some form of video...

Read More

 [New Research] Are These Hidden Metrics Harming Your Deliverability?

[New Research] Are These Hidden Metrics Harming Your Deliverability?

Reaching the inbox is not as simple as hitting send. Once a message is...

Read More

 What Job Is Your Subscriber Hiring Your Email To Do?

What Job Is Your Subscriber Hiring Your Email To Do?

Over the last 16 years, I’ve worked as a product manager, run product...

Read More

Author Image

About J.D. Falk

Author Archive

Stay up to date

Enter your name and email address below to subscribe to our mailing list.

Your browser is out of date.
For a better Return Path experience, click a link below to get the latest version.