As a digital marketing services agency we provide strategic email marketing services, search engine optimization, and other web-related marketing services. But you’ll never find us engaging in abusive email marketing tactics nor black-hat SEO or web development practices. Why? Simply put, it’s unethical and it’s bad for business.
But we’ve recently had our business reputation jeopardized by email spammers.
It has been difficult for us at SEMbyotic to wrap our heads around the fact that a spammer has hijacked our physical business address and has begun using that contact information in their abusive spam campaigns. Take a look:
As you can see, the sender’s email address is not our SEMbyotic domain so any replies or unsubscribes did not come to us.
So how did we find out about the emails?
It all started in June of 2018 when we began to receive web contact forms submissions via our website containing spam email complaints. Lot’s of them. And as of this writing, the complaints are still coming – and we make every effort to respond to each one personally.
Once we determined that there was a high-volume email attack in play, we asked for the emails to be forwarded to us so we could take a look at what we were dealing with. And yup, our business address is being used to hock everything from vacations to Viagra and tires to travel.
After reviewing some of the emails, we then researched how we might be able to stop the emails and who we might be able to complain to in order to get the emails to stop.
What we discovered is disturbing.
The majority of the recipients of the spam campaigns are using AOL, but there are also Juno, SBCglobal.net, and Netscape users being targeted as well.
The majority of complainants had tried repeatedly to unsubscribe by clicking the unsubscribe link at the bottom of the email. We suspect this action only increased the frequency of the spam emails and potentially exposed them to malware.
This is likely the spammers’ true intention; to annoy recipients to the point that they can no longer ignore, or they get tired of deleting emails, to the degree that they finally click through in desperation to stop the flood of unwanted spam.
Eventually, after multiple unsuccessful attempts at unsubscribing and only receiving MORE unwanted email, a fraction of the targets finally Googled the physical address (Silicon Valley 177 Park Avenue Suite 100 San Jose 95113) at the bottom of the email and came upon SEMbyotic as a top search result. (We’re an SEO agency after all.) They then submitted a complaint via the web contact form, or contacted us via the email address or phone number listed on our website.
Keep in mind that only a small fraction of the people receiving these spam emails are actually conducting an online search for the address at the bottom of the emails and subsequently complaining to us. We suspect we have only been dealing with the tip of a very large spammy iceberg and still, we are receiving multiple complaints per day, every day, even on weekends and this has been going on since June 2018.
All told, we have reported the spam campaign to six entities so far.
Given the fact that phishing, intrusive malware, and denial-of-service attacks are very real security threats, we felt we needed to alert any and all entities we could – government or otherwise – who might be able to shut the spammers down. Here’s who we have reported to:
The Federal Trade Commission (FTC)
The FTC is who we contacted first but, as of this posting, the FTC has yet to respond to our multiple complaints or requests for a case number so we can more effectively follow-up on our existing complaints. So while we believe reporting to the FTC via email@example.com was something we needed to do, and we encourage all spam recipients to report there as well, we are not confident that this government agency will actually do anything about the spam in a timely manner.
Our hope is that if more people complain, the more likely the FTC will take action, but at the very least perhaps they are keeping track.
The Better Business Bureau (BBB)
Of course, we don’t think that the BBB will actually be able to do much about this. But we wanted to address the issue with them since surely we will receive complaints there about the spam. While it appears only a few complaints have been made so far to the BBB on this issue, we expect there will be more to come until the spammer is shut down.
Update: On Dec 20, 2018, the BBB proactively added a disclaimer to our BBB business listing alerting their website visitors to this issue with spam emails. We appreciate their help and support.
We contacted SendGrid as soon as we determined that they are one of the email marketing service providers that the spammers are using to blast their email campaigns. SendGrid’s response has been lack-luster.
Upon receiving a forwarded spam email as an example, the contact with SendGrid compliance didn’t appear to be interested in looking at the broader issue. He responded, “We have identified where this image was hosted and have removed this image. It should no longer be displayed. Please let us know if this continues.”
Once we explained that the issue was not with one single image (oh, how we wish!), the SendGrid representative still did not appear interested in the broader problem. SendGrid appears to be relying on SEMbyotic to send one example after the next, only to take care of those individual instances.
Here is SendGrid’s latest email response to our attempts to get them to shut down the abusive account:
“Thank you for your follow up. We have a whole team of people working to keep malicious users off of our platform. While we do not attempt to idenify (sic) the specific individuals behind these messages we do continulsy (sic) update our filters and polices to adapt to the ever changing abuse that malicious users attempt.
Feel free to direct any recipients that are reporting to you to firstname.lastname@example.org”
We at SEMbyotic are not at all satisfied with this response to the obvious abuse of their platform and our business address. From our perspective, we presume that SendGrid has the ability to identify the abusive account and shut it down for violating its terms of service, but they appear to have chosen not to.
To be fair, if they haven’t done so yet, it is likely that the spammer will move their operations from one email service provider to another. If the email abusers have now moved off from SendGrid, I suppose we owe them an apology. But we believe SendGrid missed a real opportunity to identify and shut down a very prolific cybercriminal operation.
Update: On December 19, 2018, we received confirmation from a complainant that the spammers are still using SendGrid.
Amazon Web Services (AWS)
As soon as we were able to inspect an email that a recipient forwarded to us, we determined that the images within the spam email were being hosted on Amazon S3. S3 stands for Simple Storage Service. This is where the spammers are storing the images used within the emails, including the ones that use our address.
Their response, after review:
Thank you for your report. We appreciate your assistance in helping to identify potentially abusive content on our networks.
We’ve reviewed your report and at this time the content appears to be no longer active or available. If you have any evidence otherwise, please let us know.
And yet the spam email complaints continued to flow in. It’s at this point that we realized we weren’t going to get much help from the services the spammers were using. So we upped our reporting game.
The Federal Bureau of Investigation (FBI)
We called our local FBI bureau in San Francisco on August 27, 2018, and Agent Andrew Johnson took down all of the pertinent information and asked follow-up questions. He then asked that we complete an IC3 complaint form which we did.
As of this writing, we’ve had two follow-up discussions with their Cyber Crimes division. While the FBI rightfully holds their cards very close to the vest, we see this as encouraging that this agency is actively investigating.
The California Department of Justice, Attorney General’s Office
On August 30, 2018, we had the pleasure of responding to a legal complaint submitted to the California Department of Justice – the State Attorney General’s Office.
Again, we explained the situation in painful detail and provided evidence to the fact that we are not the culprit. We shared all we know about the situation. We also requested that if they “have influence to get the attention of the proper agencies over this matter, it would be greatly appreciated.”
While this has resolved the complaint against us, this has not resolved the spam issue for those still affected or at risk.
So what should you do if you experience a tsunami of spam emails?
Flag. Block. Report.
The California Department of Justice has some good advice on what to do about unwanted email communications. They recommend that you:
- Do NOT click. Never respond to email spam. Your response is likely to trigger more spam to your email address.
- Flag emails as spam and use an email filter. Most Internet Service Providers (ISPs) now offer spam filter tools that let you designate the email addresses you want to receive in your inbox and divert messages from unfamiliar sources into a separate folder. Contact your ISP for more information on how to set this up.
- Sign up with the Direct Marketing Association’s Email Preference Service at https://www.ims-dm.com/cgi/optoutemps.php. It’s free and lasts for six years. This is a voluntary industry program that will stop some but not all junk email.
- Report email spam to the Federal Trade Commission by sending a copy of the unwanted or deceptive messages to email@example.com, or visiting their website, FTC Complaint Assistant.
- Report email spam to your ISP such as Comcast, Google Fiber, etc.
If you are one of the many folks currently dealing with this spam issue, we hope this information on where and how to report the spam helps stop the flood of emails. We’ll continue to update this post with any other information we uncover.