A while back, one of my software programs was in a free giveaway on a 3rd party site. Hundreds of thousands of people signed up to get the program (and a bunch of other programs) for free.

One of the benefits to me was supposed to be that I get all those email addresses to market future software.

This is all well, but...

How do I know that these are all "valid" email addresses? For instance, could it be that some of them are "spam catching" email addresses of the DNSBL services (barracuda, spamcop, spamhaus, etc.) and others like it?

What do you think? What risks are involved, if any?

I have setup Postfix/Dovecot as shown in the Linode guide, so it's secure against relays. I have set up proper SPF records and OpenDKIM as well. So I'm pretty sure my side of things is covered.

So how exactly is spending your time/money/effort to keep in touch with 100K+ freeloaders a viable business plan?

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

Did these people actually sign up to receive mailings from you? In my head, I'm picturing a big "Download free software" button, and in size 2 font at the bottom of the page a line that reads "BTW, we're collecting all your email addresses and bundling them up for each software dev".

- Les

Each of the freeloaders ( ) signed up with the 3rd party, which sent the freeloader's name and email address to my web server for license key generation. The 3rd party took that license key and emailed it to the freeloader.

vonskippy has a point. Marketing to a bunch of freeloaders may be a horrible idea

But there are other reasons. For instance, in the future I will change my license generation scheme and I want to notify the freeloaders about their new license keys.

So it would be nice to know about any risks involved in sending all those emails. I don't want my mail server IP address to be marked as a bad one.

Could it be that some mischievous person (or a bot) signed up with a "spam catching" email address just for the heck of it? Is this a risk that is known out there? Are there other risks?

Good DNSBLs won't use domains that have ever had legit email delivered as spamtrap domains. If you have the logs of what browser, ip, user-agent, date, etc submitted that email address - that will greatly help ease any problems you may encounter. As to the right to email them, that depends on the text used on the signup page and the status of any checkboxes ("You may email the hell out of me").

Basically, if you have any doubts about it, don't do it.

Yea, this sounds pretty much like what I described. Essentially, I'm betting that a significant majority of people who downloaded this do not think that "This guy will email me marketing stuff in the future" was part of the bargain. If you're sending them information they need as users of your app, cool. But if you start sending them marketing about future software, I expect a ton of them will hit "This is spam". And considering the questionable permission you have for sending the marketing emails, we're likely to ask you not to use the list.

- Les

Probably not a great risk of losing future paying clients.

I'm assuming somewhere in your free app, you have an "about" page with a link back to your site - at which point you can sign them up (i.e. opt in) for future developments and/or products. If they sign up for those types of emails, I would say they are worthy of future effort, if they don't they they just came for the free pie and you're wasting effort (and risking the spammer label) by cold calling them.

Put a blurb on your "about page" that says something like "If you came here from the free download of "product x", be sure to sign up for our mailing list for exciting new product offers, discounts, and update announcements".... or some such marketing blather.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

The 3rd party does have a "developers can email you from time to time" in their privacy policy. But you're right, the majority of users don't read such things and I shouldn't be relying on it. So I think I'll follow your advice and skip the marketing.

But this caught my eye:


What do you mean? Does Linode monitor/scan outgoing emails?

I think they mean you'd end up causing a bunch of spam/abuse reports (tracked back to your/Linode's IP) at which point Linode would/will ask you to stop it.

_________________
Either provide enough details for people to help, or sit back and listen to the crickets chirp.
Security thru obscurity is a myth - and really really annoying.

This.

One of the first questions that we ask if we get a wall of spam reports for a server is ~"How did you get this list of email addresses", and based on the circumstances you've described, I'd ask you not to use the list.

- Les

Here's a decent set of rules of thumb from MailChimp, a company that specializes in this sort of thing: Is my list okay to use in MailChimp?

For what it's worth, my primary e-mail address of the form ${first_initial}${last_name}@gmail.com. I get a lot of these sorts of mails, because other people with a name like mine don't remember that their e-mail address isn't mine. If my e-mail address appears on your list, odds are good I'm going to consider it spam and report it accordingly, through no fault of your own.

(For the curious: I do have special processes for mail from the big bulk-mail houses. The MailChimp unsubscribe process has been 100% reliable and lets me indicate that I never signed up for that list, so I trust that. On the other hand, Constant Contact demands that I re-type my e-mail address to unsubscribe, which I'm not going to do. You already have my e-mail address, you asshats: UNSUBSCRIBE ME. Those go directly to the Gmail spam workflow. Everything else is somewhere in the middle.)

_________________

/* TODO: need to add signature to posts */

Spam is bad. Don't send spam.

Pretending spam isn't spam doesn't magically make it so.