KAM's email to Cvent Re: KAM pccc URIBL questions

["Kevin A. McGrail" <KM...@PCCC.com>]

Below is a copy of the email from Cvent and my response with some minor 
redaction so as to keep who I'm in discussion with private unless they 
want to take the discussion public.

regards,
KAM

Sorry for the delay on this response but I wanted to give it some 
serious attention especially as the chair of the SpamAssasin project.  
As part of that project, I have an onus to the foundation to maintain 
transparency and discuss this on the mailing list (See 
http://theapacheway.com/ for more about this.)  For now, I've cc'd the 
project management committee and will forward a copy of the email 
removing your name but welcome this discussion to continue on the User's 
forum for SpamAssassin.  I think if you can show you are working in good 
faith to fix the issues, you will see the anti-spam community rally 
behind you.

First off, I have removed your current RBL entry from the list in 
discussion based solely on the fact that you have reached out in good 
faith on a dialogue about the issue.  Thank you for taking the time to 
do that.  I look very much forward to your response and will keep an 
open mind.

Second, I will give you a portion of the evidence I have. However, to 
me, this is less about fixing specific issues of spam and instead fixing 
either the culture or architecture that is allowing this systemic abuse.

For example, I can see some abuse by one of your customers:

vette:Aug 21 10:51:40 2013 (15216) TheBoard post from 
webinars@crowdcompass.com held, 
message-id=<0e...@cventinvite.com>: 
Post by non-member to a members-only list
vette:Aug 28 10:53:36 2013 (15216) TheBoard post from 
webinars@crowdcompass.com held, 
message-id=<4c...@cventinvite.com>: 
Post by non-member to a members-only list
vette:Sep 03 10:51:55 2013 (15216) TheBoard post from 
webinars@crowdcompass.com held, 
message-id=<79...@cventinvite.com>: 
Post by non-member to a members-only list

This is something where sometimes your only recourse is canceling the 
customers account or limiting their email abilities.

However, I've also seen cases where companies have 'free trials' or poor 
credit card fraud procedures which lead to signing up for accounts they 
plan to run the wheels off.  In these cases, we need to see a systemic 
change in that procedure.

In other cases, we've seen companies blame everything on partners who 
receive commissions and therefore they aren't responsible for the 
activities of the partner.  Well from our perspective they are 
responsible.  We follow one definition of spam from Chris Santere which 
is "Spam is about Consent not Content".  If the consent is there, it's 
not spam.  And I am a capitalist and believe things like someone 
purchasing from your firm is a de facto consent to send necessary 
documents (receipts, terms of service, follow-up pings, etc.) UNTIL that 
customer asks to be removed or you haven't contacted them in a 
protracted period of time.


Unfortunately, in the next two examples, I have received unsolicited 
emails from *Darrell Gehrt*purporting to be the Division Head, Web 
Surveys at your firm.  Checking linkedin and your firm's blog concur.  
And I also have unsolicited emails from *Meg Stensrud*purporting to be a 
Regional Sales Manager at your firm.  Again, linkedin appears to confirm 
this information and the latter is the one that appears to have used 
scraped whois data tied to an address where they have incorrectly tied 
me to springvalley law group.  Two example headers are available at 
http://pastebin.com/Q0knc6ei

Interestingly, http://washington.oneyellow.com/ID/1277768 shows 
"springvalley law group" at 5335 Wisconsin Ave NW , # 400, Washington, 
DC 20015 Local Phone: (202)895-1648 Fax: (202)966-6455.

That address USED to be Luse Lehman Gorman Pomerenk and Schick which I 
have been associated with in whois records but this shows scraping and 
cross-database use that points to a foundational issue and misuse of 
database mining in marketing campaigns at your firm.  I should also 
mention that email address hasn't been used actively in over 10 years 
which shows a very protracted length of time for legitimate business.

But perhaps you can defend this with some provenance on the email 
addresses.   But I'm sure you won't be able to show anything with 
Springvalley Law Group.  In the end, I won't be shocked at all if the 
best you can find out is you have some people in your marketing 
department doing some very shady marketing.

The real question is what you can do to fix the issue.   If we continue 
to see unwanted email, we may list them again.  We rely on your 
proactive monitoring of your customers (and 
employees/agents/contracts/etc.) to ensure that this won't happen; the 
onus should not be on us to report spam to you.

regards,
KAM




On 10/7/2013 2:45 PM, XXX wrote:
>
> Hello Kevin McGrail,
>
> Your posting today on the SpamAssassin users list was brought to my 
> attention. Let me introduce myself, my name is XXX with Cvent. I am 
> reaching out to you about the concerns you raised in your posting and 
> asking to work with you to investigate. Cvent does not tolerate 
> scraping of email address either by our customers or internally. 
> Please send me the header information for what you received. We will 
> investigate and get back to you quickly.
>
> Cvent, Inc. is a publicly traded, global event management solutions 
> company founded in 1999. Our services are used by 187,000 event 
> planners and hoteliers worldwide. If you follow Alexa traffic 
> rankings, our website popularity is 1,545 USA and 5,569 Global.
>
> My team has been tracking the recent and sporadic issue with cvent.com 
> appearing on the URIBL blacklist to determine the offending customer 
> and terminate per the Cvent Terms of Use.
>
> Thank you for your understanding and cooperation,
>
> **