Sunday, February 26, 2017

Spam, courtesy of LinkedIn

Over the last few years I've been noticing an exponential increase in the amount of spam I receive from IT vendors in my company mailbox.  After occasionally replying to some of these messages and bluntly asking them where they obtained my email address, I finally learned something interesting:


Me:  Hi (name), yes, we do have a need for your services from time to time.  May I ask how you obtained my email address?

Vendor:  I curated LinkedIn for contacts.

Me:  This email address isn't associated with my LinkedIn account, and my employer is not visible to anyone who is not a Connection.  Sorry, I'm just trying to figure out why I am getting so much spam.

Vendor:  The paid subscription of LinkedIn Recruiter allows me to see people not in my immediate network.  Most companies have a standard email format i.e. first.last@company.com. Once the format is known, then I just autofill with Excel.

So apparently spammers are using LinkedIn Recruiter to find names and companies then do a bit of hacking to find out the company email format.  I'll call them SWULRs - Spammers Who Use LinkedIn Recruiter.

What can we do about this?
  1. Implement a better spam filtering solution.  In the past I used mxLogic.  After establishing service, you point your MX record to their servers, they filter out the spam and forward legitimate email to your Exchange server.  Your Exchange server only accepts connections from mxLogic.  They would never explain how they were filtering spam, but it was very effective.  And very few false positives.  Be sure to also send out through them so they can build whitelists automatically for return mail.  Out-of-office autoreplies exempted, of course.  A side benefit is disaster recovery; they spool inbound messages when your Exchange server cannot be reached.
  2. Change your company name in LinkedIn to "Company Confidential" and remove any descriptions of your company or parent company from the job description.  However, your other connections may not do this and SWULRs may use their company names combined with your name in their attempts.
  3. Use something other than flast@company.com or first.last@company.com as the email address standard at your company.  Try flastnnn@company.com where nnn is the employee's payroll ID or just a random number.  This requires convincing management of the need.  Be sure to support your argument with the estimated cost of employee time lost dealing with spam.  And watch out for the marketing department that wants email addresses to be pretty.  You've already had to explain how email addresses and URLs should not contain uppercase characters.
  4. Not a solution, but good advice:  Make sure your LinkedIn account is tied to your personal email account not your company email account.  You may be changing employers in the future, may forget to change your email address, or may not be changing employers voluntarily; losing access to your company mailbox to confirm a password reset or email address change.  This keeps company email addresses out of the LinkedIn database.  And if anyone tries to send you a LinkedIn connect request through your company email, go to the LinkedIn website directly and add the contact from there.  You don't want your company email address tied to your account in any manner.
Now I understand why Konami's IT department assigns a short set of random numbers to the end of each user's email address.  For example, cgrote427@company.com.  Initially I thought this was overkill, but it's definitely effective.

This debacle reminds me of the concerns I had over Plaxo years ago.  Users would install Plaxo on their computers to "synchronize" their contacts.  An inspection of the Plaxo terms of service and privacy policy revealed an interesting clause about email address privacy practices being subject to change in the event of a change in ownership.  Meaning Plaxo was potentially building up a huge database of users' email addresses (and those of their unwilling contacts) while providing a free "synchronization" service in anticipation of selling themselves to a mailing list company who would then change the policy and use the harvested addresses for nefarious purposes.  Users were warned accordingly.

Well to my knowledge Plaxo never sold themselves off to a mailing list company.  But LinkedIn may be the new Plaxo, in terms of threat to email privacy.

I understand that LinkedIn offers a free service to those of us who want to share our employment and skills with our business contacts, but their failure to perform proper vetting of users signing up for access to the Recruiter service justifies some action on our part to protect our valuable time.  I would rather pay LinkedIn an annual membership fee, get them to simplify the site; remove all the fat javascript code that is increasing their bandwidth operating costs and slowing down my browser, and focus on what its users want it to do, rather than run a sideline business to profit off user data.

Spam after all is a very inefficient means for vendors to reach clients.  Better to make their service discoverable through internet search or listing sites such as Yelp, Angie's List and the like.  There is a very small chance that a broadly targeted email solicitation will be of interest to a client, but a very large chance that a client searching for a service on the internet is ready to buy. 

Vendors, please have someone available to answer the phone or email when that client contacts you.  Seems like companies are allocating more resources to obtaining clients through marketing rather than maintaining adequate sales and customer service staff to facilitate actual sales.  This past month I contacted 5 companies whose product or service I am interested in buying and only heard back from 1.


External Links:

https://www.wired.com/2013/04/the-real-reason-you-should-care-about-linkedin/
The above site is best viewed using Firefox or Safari in "reading view" to bypass the "register to view article" overlay.


No comments:

Post a Comment