How do internal email addresses get added to purchased lists?

Key findings

• Data breaches: A common cause is when a client's or partner's address book is compromised by malware or a phishing attack, leading to the extraction of contact details, including internal email addresses.
• Information scraping: Automated tools (bots) can crawl websites, public directories, and online forums, extracting email addresses that are publicly visible or guessable. Even addresses like 'abuse@' or 'postmaster@' are often scraped and added to such databases.
• Event attendee lists: Some 'list vendors' illegally sell attendee lists from events, which may include internal company contacts who registered or attended. These lists are often unauthorized and contain stolen data.
• Lack of consent: Purchased email lists inherently lack consent from recipients, making them non-compliant with most email marketing platforms' policies and data privacy regulations. Mailchimp, for example, provides examples of compliant and non-compliant lists.
• Spam trap inclusion: Many purchased lists contain spam traps, which are email addresses specifically designed to identify senders who use illegitimate list acquisition methods. Hitting these spam traps can severely damage your sender reputation and lead to blocklisting.

Key considerations

• Deliverability impact: Using purchased lists almost always results in poor deliverability, including high bounce rates and low engagement, as recipients have not opted in to receive your emails. This is a primary reason why purchased email lists cause deliverability issues.
• Legal and ethical implications: Sending to non-consented lists can violate privacy regulations like GDPR and CAN-SPAM, leading to legal penalties and damage to your brand's reputation.
• Monitoring and reporting: Implement systems to track unsolicited emails sent to your internal addresses. This helps in identifying potential sources of data leakage or illicit list compilation activities.
• Proactive protection: While difficult to prevent entirely, businesses should educate employees on phishing and malware risks, and ensure robust security measures are in place to protect contact data. Consider using unique email addresses for different purposes to track leaks.

Key opinions

• Common occurrence: Many marketers receive unsolicited emails to internal addresses, indicating it's a widespread problem rather than an isolated incident.
• Data compromise: A common theory is that client address books or other systems might have been infected, leading to the theft of contact information.
• Ethical concerns: Marketers frequently express anger and disappointment regarding vendors selling unauthorized, potentially stolen, event attendee lists.
• Guessing game: Some suggest that certain internal addresses like sales@ or support@ might just be guessed by list compilers, though this doesn't fully explain highly specific internal addresses.
• ESP limitations: While some ESPs (Email Service Providers) like Mailchimp have systems to detect bad lists (e.g., Omnivore), they often cannot catch every purchased list, suggesting a budget constraint or difficulty in acquiring every bad list for their detection systems.

Key considerations

• Never purchase lists: The consensus among ethical marketers and deliverability professionals is to avoid purchased email lists entirely due to compliance and deliverability risks. Instead, focus on organic list building to build a high-quality email list.
• Report misuse: If you receive unsolicited emails to internal addresses, consider reporting the sender to the event organizers (if applicable), their ESP, or relevant authorities, especially if the data appears stolen.
• Protect your data: While internal addresses are meant to be private, ensure your organization's security protocols are robust to prevent data breaches that could lead to your contacts appearing on such lists.
• Understand the risks: Marketers should be fully aware of the severe risks and downsides of cold emailing a purchased list, including damage to sender reputation and legal issues.

Key opinions

• Spam trap hits: Experts confirm that purchased lists almost always contain spam traps, which are invisible to marketers but are crucial for ISPs and blocklist operators to identify spammers. Hitting these traps is a direct path to getting blocklisted.
• Reputation damage: Sending to non-consented lists inevitably leads to high complaint rates and low engagement, signaling to ISPs that your mail is unwanted. This quickly erodes your sender reputation, affecting even legitimate campaigns.
• List decay acceleration: Purchased lists typically have a rapid decay rate due to invalid addresses and unsubscribes, making them an unsustainable and costly long-term strategy for email marketing. This contrasts sharply with building a sustainable, high-quality email list.
• Ethical responsibility: Many experts emphasize the ethical obligation to only send to recipients who have explicitly opted in, aligning with best practices and regulatory compliance.
• Automated detection: ISPs and email platforms employ sophisticated algorithms to detect unusual sending patterns, high bounce rates, and spam trap hits, making it difficult to use purchased lists without being caught.

Key considerations

• Focus on permission: The only viable long-term strategy is to build a list through opt-in methods, ensuring explicit consent from subscribers.
• Validate all lists: Even legitimate lists should be regularly cleaned and validated to remove invalid or risky addresses, especially to avoid high unknown rates when validating lists. This includes identifying and filtering bot email addresses for hygiene.
• Understand the repercussions: Be aware that using purchased lists can lead to your emails going to the spam folder, your domain getting blocklisted, and ultimately, a significant drop in ROI.
• Domain reputation management: Proactively monitor your domain's reputation using tools like Google Postmaster Tools. A damaged reputation from purchased lists can take a long time to recover from a bad or low status.

Key findings

• Consent is paramount: Documentation from major email service providers and regulatory bodies universally stresses the necessity of explicit consent for email marketing. Purchased lists inherently violate this principle.
• Data protection laws: Laws like GDPR and CAN-SPAM outline strict requirements for data collection and email communication, making the use of purchased lists risky from a legal standpoint.
• High bounce rates: Documentation often links purchased lists to high bounce rates, indicating a large number of invalid or non-existent addresses, which negatively impacts sender reputation.
• Compliance mechanisms: ESPs have features to help users maintain compliant lists, such as double opt-in verification, which ensures only quality email addresses are added and reduces the risk of spam traps or invalid entries.

Key considerations

• Avoid purchased lists: Official guidelines explicitly advise against using purchased, rented, or scraped email lists due to the significant risks they pose to deliverability and legal compliance.
• Build organically: Prioritize building your email list through legitimate, opt-in methods such as website sign-up forms, content downloads, and point-of-sale interactions. For internal purposes, consider setting up an email seed list.
• Maintain list hygiene: Regularly clean and manage your mailing list to remove inactive subscribers, hard bounces, and any suspicious addresses, which helps maintain a healthy sender reputation.
• Understand legal obligations: Familiarize yourself with email marketing compliance do's and don'ts to avoid penalties. The University of Edinburgh, for example, offers guidance on mailing lists and data protection.