Wash email opt-in addresses with fake PDFs

Who voluntarily agrees to receive countless promotional emails?

Our mistrust is initially fed by our common sense. We ask ourselves: How many consumers are there really who, for the vague prospect of a material or informational gain, give out their e-mail address with an advertising consent that virtually pre-programmed the subsequent “garbage” with e-mail advertising? How commercially exhausted do these multi-opt-in distributors have to be after just a short period of use? And how much purchasing power and customer potential is there actually in the special milieu of web users who are permanently interested in such address generation campaigns?

However, our skepticism contrasts with some other findings: The list broker industry continues to generate millions of dollars in sales by renting out email addresses. Despite the risk of “used up” lists, there must therefore always be customers who consider it worthwhile to bear the considerable costs of renting addresses and sending blind advertising. And in fact — in addition to many voices who have shelved this path of lead generation at some point — we occasionally hear of advertisers who continue to rely on classic list broking (co-registration formats or voucher networks such as the one from Sovendus, which work virtually peer-to-peer between advertisers, we ignore this — More about this here in a separate blog post). Especially for companies with a high customer lifetime value, e.g. providers of subscription businesses such as mobile communications or streaming contracts, this type of lead generation seems to pay off despite acquisition costs of usually well over 100 euros per lead won.

In addition, address providers show off mass and GDPR compliance. For example, TPNG offers “a portfolio of around 16 million consumers email addresses with advertising consent,” the BurdaDirect subsidiary LeadDirect advertises with “access to over 32 million consumer email addresses and 4.5 million business email addresses.” sg media + marketing attracts with “over 25 million double opt-in addresses.” Even if you assume that providers will jointly acquire or market a large part of the overall available address potential: The sheer number of email addresses contradicts our assumption that only special consumer communities are willing to pay the price of “garbage.”

How does it all fit together? A random discovery has now brought us closer to a possible explanation that makes at least some providers appear in a special light:

A supposedly clean proof of advertising consent

In autumn 2022, a Publicare employee received a good dozen promotional emails at his business address for a wide variety of products, from a credit card and printer cartridges to “Organic Skincare” from Satin Naturel and a financing offer from Smava. There was also an email with the sender “Media Markt”, which promised a bit bumpy in the subject line: “FREE: [employee name*], get your Samsung Galaxy S21 and Galaxy Watch now!” All promotional emails had two things in common: The imprint rejected the Düsseldorf-based list broker Enviando UG as the sender responsible for formally law, and every e-mail contained the message: “You are receiving this message because you have signed up with your e-mail address [employee address*] with a portal or other service from us or one of our partner companies.”

Since our employee was not aware of such a notification, he set up on October 12, 2022 Request for information under Article 15 (1) of the General Data Protection Regulation (GDPR) to Enviando UG. Enviando responded promptly: Information was received by email just 3 ½ hours later. In it, our employee learned: “As a co-sponsor, we received your data from a data provider (see attachment for details and all stored data). We will send you all stored personal data as an attachment to this email.” The attached ZIP archive contained a 13-page PDF file with surprising findings (see screenshots). Accordingly, on 18.12.2021, our employee should send his official e-mail address to a”Supermarket giveaway month“took part and confirmed the advertising consent for their e-mail address eight minutes after submitting the form by clicking in a double opt-in received. Enviando also lists — formally quite exemplary — the complete IP dial-in address of our employee for participation and confirmation as well as the exact time of both actions.

To start with: The data information provided by Enviando is fictitious — in other words: The Participating in the competition is a complete lie. We can prove that. Our employee was hospitalized in a hospital in Frankfurt on 18.12.2021 after a serious operation on 15.12.2021. In general, and particularly in this physically and mentally stressful situation, nothing would have been further away from him than taking part in such a competition — especially with his official e-mail address. And our employee demonstrably did not have access to the Internet on that day via the IP address 92.216.199.65 mentioned in the data report, which belongs to the dynamic IP address pool of Vodafone Germany. We also checked the log files of our proprietary mail server, with the unsurprising result that the double opt-in validation email claimed in the data report was not received on the day in question. In the end, it fits the picture what we see when we look at the document properties of the information PDF: The PDF document was generated on 26.04.2018, i.e. more than three years before the alleged participation in the competition. We assume that this was done automatically and “in stock” — in case of possible requests for information.

Is Enviando So here is the “culprit” (and could be held accountable accordingly)? Yes and no — because unfortunately things get even worse. The actual competition and thus the acquisition of email addresses was not organized by Enviando, but by the British company Digital Marketing Group Ltd. based in London. According to the terms and conditions, which are printed in the information PDF, Enviando only acts as a “sponsor” of the competition. In other words, Enviando is “only” the recipient of the (alleged) declarations of consent, but does not obtain them himself. The circle of sponsors includes a total of 10 list brokers, including companies from Germany in addition to Enviando Audience Serv, mailcommerce, media publisher and Evania.

Alleged advertising consents are not questioned by German “sponsors”

This reveals an insightful “division of labor”: The really dirty business operates with the Digital Marketing Group Ltd. a company that evades access by German data protection authorities and which, due to its UK headquarters, would only be prosecuted with disproportionate legal effort and corresponding costs. It illegally collects email addresses from dark sources (e.g. through email harvesting) and “washes” them by creating fake PDFs that “document” fictional sweepstakes entries. The German “sponsors” act as bona fide buyers of supposedly legally obtained, opt-in validated email addresses without questioning the processes or perhaps even against their better knowledge — who knows. And against this background, the dissonance between common sense, which regards the acquisition of multi-opt-in email addresses as a niche phenomenon, and the fact that millions of email contacts are available on the market, can also be resolved conclusively.

Die britische Firma Digital Marketing Group ltd. mit Sitz in London tritt als Betreiber von Gewinnspielen auf, über die angeblich E-Mail-Adressen gesammelt und Werbeeinwilligungen „dokumentiert“ werden.

In its e-mail for data information to our employee, “the ENVIANDO service team” concludes: “We have already irrevocably deleted your data and added your e-mail address (MD5 coded) to our blacklist. As a result, we are no longer able to send you emails, regardless of whether allowed or not.” A rogue who thinks bad things in the face of this sudden rabbit's foot!

* For reasons of privacy and because it doesn't matter, we do not mention the name and email address of our employee and have pixelated them in the screenshots of the data information PDF.