EP #53 Behind the Inbox: Atro Tossavainen’s expertise on email security trends

EP #53 Behind the Inbox: Atro Tossavainen’s expertise on email security trends

About this Podcast

In today’s episode of the ‘For The Love Of Emails’ podcast, we welcome Atro Tossavainen, Founder at Koli-Lõks OÜ, with host Matthew Vernhout – VP, Deliverability, Netcore. Atro brings over two decades of experience as a GNU/Linux/UNIX systems administrator specializing in IT security, backup, and mass storage. With a remarkable background as an anti-spam activist, his insights are invaluable.

In this podcast, they discussed:
Distinction between recycled spam traps and pristine spam traps
Factors that differentiate bulk emails from targeted ones
Important of authentications like SPF, DKIM, and DMARC
Factors that marketers should consider when registering domains
Why is it crucial to keep using your email list?
How do different ESPs vary in the types of emails they send?
Episode Transcripts

Intro: (00:06)

You are listening to the ‘For the Love of Emails’ Podcast powered by Netcore, a weekly show dedicated to helping email marketers, marketing enthusiasts, and professionals of all walks engage, grow, and retain customers through reliable, smart, and effective email communication and engagement. Discover actionable ways to increase ROI and deliver value through email innovations, personalization, optimization, email deliverability, and email campaigns. No fluff. Tune in to hear best practices and tactical solutions from the best thought leaders and practitioners. Master your email communication now.


Matthew Vernhout: (00:39)

Hello, and welcome to another episode of the ‘For The Love of Emails’ podcast. I’m your host today, Matthew Vernhout, Vice President of deliverability for Netcore Cloud. Before we begin, I want to share some exciting news with you. We are set to launch an exciting new report on AMP email and the performance of AMP. We’ve seen some staggering results when it comes to AMP for email, including up to a 1000% boost in return on investment for some customers. That’s a fantastic number, and if you haven’t checked out AMP, do watch for the report. It’s scheduled to come out very soon. You can follow us on our social platforms for the exact launch date. We’ve analyzed over 1 billion AMP emails sent by our customers off the network. We’ve collected insights from 25 industry experts and provided over 100 innovative use cases for you to review and look at implementing into your own email program.


Matthew Vernhout: (01:39)

So we’re jumping in today. I’m excited about our guest; he is an expert in all things anti-spam, spam traps, email. He is also a classically trained singer. We won’t ask him to sing today, but I’ve heard him sing, and it’s fantastic. He’s an all-around general musician playing multiple instruments, and I’m very excited that he is here. Welcome to the show. I have with me the founder of Koli-Lõks OÜ, an email filtering solution, block list, security platform, and all of the above. Atro Tossavainen, welcome to the show.


Atro Tossavainen: (02:28)

Thank you. Matthew, it’s Atro Tossavainen; never mind. Nobody gets Finnish right.That’s fine.


Matthew Vernhout: (02:35)

I’ll write it off as my terrible Canadian accent. I tried to get it as close as I could. Having a European last name, I appreciate people trying to get it right. Outside of Europe it’s a close guess most of the time. So Atro comes to us; he’s got over two decades of experience as an anti-spam activist. He is well seasoned in systems administration, IT security, storage, and all of these other great things that, you know, are more important these days than ever when it comes to things like malware and spam and other bad things that are happening on your networks or targeting your inboxes. So I’m really glad to have Atro on the show. Is there anything else I’m missing in my intro today that you want to share with the audience?


Atro Tossavainen: (03:33)

No, not really.


Matthew Vernhout : (03:35)

I did a good job. I had a very long bio sent to me. I tried to sum it up, and, and make it a bit shorter. But, Atro is an expert, and I would say we’ve known each other for at least 10 years…


Atro Tossavainen: (03:50)

Yeah, I’d say that.


Matthew Vernhout : (03:50)

…if not longer, at this point. So, we’re going to talk about spam traps today, and some of the best practices for brands to avoid them, not collect them, deal with them, and, you know, your platform is a great resource for service providers as well. And that’s something that people need to understand; as a service provider, working with organizations like yours is a great way for us to help monitor our network and make sure our clients are doing the right things. And if they’re not doing the right things, either redirect them and reshape their practices as best we can or really try to figure out if they are worth continuing to work with because of their ongoing practices. Why don’t we start with your definition of what SPAM is? It’s going to be very interesting because everyone has a slightly different definition.


Atro Tossavainen: (04:45)

I go with the Spamhaus definition, unsolicited bulk email. It doesn’t take very long to explain that, does it now?


Matthew Vernhout: (04:54)

Fair enough. The one thing that I say, that maybe doesn’t catch, is that we’re seeing a rise in and more and more conversation around the idea of cold or B2B email.


Atro Tossavainen: (05:11)

I keep seeing that, like basic, it’s in my feed basically every day. People keep talking about cold email strategies. Yeah. Like that’s just a euphemism for spam.


Matthew Vernhout : (05:24)

Right. But it’s in the argument it’s not bulk. So how do you do that regarding your definition of stamina?


Atro Tossavainen: (05:33)

What makes it not bulk? You’re looking up company owners, or whatever business decision makers, up from out of the blue and then targeting them with carefully tuned messages specific to their business. But you do this in great volumes, and you’re targeting your business and my business, and it’s essentially all the same. And it comes to the addresses that I didn’t give to you; it comes to my business register address which, to anybody capable of reading, says: don’t send anything to this address.


Matthew Vernhout : (06:08)

Right. Those automated systems that pick those emails up ignore that. Don’t send anything here. I appreciate that.


Atro Tossavainen: (06:14)

Your LinkedIn profile has these special characters in front of your name, and it says, Dear Heart Matthew.


Matthew Vernhout : (06:21)

Right. Yes. I do get those. Yeah, that’s actually why I added this question. So, when it comes to brands, using your platform, you classify the types of mail you receive slightly differently than other block list providers do. So you look at it from an age perspective.


Atro Tossavainen: (06:43)

Yeah, we’re not a block list provider. That’s something you mentioned in the intro, and I cringe at that because we aren’t that, we never were that. We never intended to be that. It’s an information platform, and whatever information you get from us as a customer, it’s up to you to decide what to do with it.


Matthew Vernhout : (07:06)

That is a great distinction because, as a security researcher…


Atro Tossavainen: (07:09)

This is, of course, the same as every block list is saying, but we never even intended our data to be used for that. Because, for example, an ESP, what they’re getting from us is data on their own sending. There’s nothing that can be used for blocking email to a platform, like as a recipient, as a receiver organization; of course, as an ESP, you look at the behavior of your customers and, as you mentioned, decide what to do with them, whether to try to reform them, whether to try to just let them out of their misery or anything. But those things are something where no email is blocked at any point by anyone. So it makes it different.


Matthew Vernhout: (07:55)

Right. That’s a fair assessment. Let me rephrase the question, then. So one of the ways you classify the data you provide is around the age of the email address receiving messages, potentially the type of email. Is it a pristine email that never existed? Is it a typo email that is common? Is it a recycled address that is fairly recent, or, in some cases, recycled addresses that go back a decade? So when you were looking at that structure and building it right, obviously, each of those types of issues have a different resolution path. When you’re working with vendors, and you’re working with brands to deal with some of these things. If you work directly with brands, what is the story you tell them when you see a recycled trap versus a pristine trap?


Atro Tossavainen: (08:52)

Well, as you said, we do divide our traps. We try to know the provenance of all of our trap domains. We specialize in registering domains and using those domains for the purpose of spam trapping. And we try to discover the origin of all the domains we register, whether it was used for something at some point, and if so, what and when and when it went out of use. So we can tell our customers that their customers are mailing email addresses that ceased to exist five years ago, 10 years ago, or email addresses that never existed at all because of either of two reasons. It’s a typo of something that does exist – a mistype for Gmail or Hotmail. It’s something that genuinely never, ever existed anywhere, aka pristine. And, of course, the strategies that the senders, in this case, the ESPs, should use to deal with their customers are different.


Atro Tossavainen: (09:52)

If you’ve got typos, that’s just indicative of a bad or manual signup process. You may receive email addresses on a paper form or paper slip. Your handwriting differs from mine, and somebody else is reading that handwriting, and they don’t know what to make of your handwriting, or mine, for that matter. And then you’ve got the recycling addresses. You look at the age of the operation that you’re dealing with. This ESP customer, they started operations three years ago, but they’ve got addresses on their list that went out of business seven years ago. How’s that possible? They’ve got addresses on their list that went out a year ago. Okay. So they’ve got an issue controlling Engagement. The strategies are different, depending on who the sender is, what addresses they are hitting, and why they are hitting them. You can conclude something from the relative age of the recycled spam traps and the typos. They just tell you that somebody is not practising any type of control over the addresses that are entered into the list.


Matthew Vernhout: (11:01)

Yeah. That’s a great distinction. Right. You said if there are new typos coming into the list, it’s either that your form allows bad data to be entered – someone could be doing manual data entry over the phone, on a paper slip – or something you’ve signed out in the wild. And typos and fingerprinting and handwriting are all questionable. For someone who’s doing that – someone who’s doing the data entry, is there a process you would recommend that they drive those through differently, maybe than a website signup, because of the increased “I couldn’t read that, an o is a zero or a zero is an o”?


Atro Tossavainen: (11:49)

In this day and age if there is a possibility, don’t do it at all. Like, try to get the data in on a computer to begin with because the handwriting is just a mess. It’s going to fail.


Matthew Vernhout: (12:01)

My handwriting gets worse as I get older too.


Atro Tossavainen: (12:05)

And we don’t practise it every day. We used to write everything on paper, and now we’re just typing on a computer all the time. Our handwriting is just horrible.


Matthew Vernhout: (12:14)

Yeah, I agree. My handwriting is certainly getting worse. I get to a point where some days I can’t read my handwriting.


Atro Tossavainen: (12:23)

Feel you.


Matthew Vernhout : (12:24)

And, the other side, like you’re saying, like if you’re mailing to an address that is, you know, 2, 5, 10 years old. And you haven’t hygiened it off your list at some point; that’s a completely different practice for businesses to look at regarding ‘why are you still mailing unengaged/ non-engaged users?’ How long do you mail those users for before you remove them from your list? I think the, maybe the one, the one piece that trips up a lot of brands is when they have to run into these legal notifications that they have to send, they’re always going to hit way more traps, way more non-existent addresses than they should. It raises the question why you still have those addresses.


Atro Tossavainen: (13:17)

But those are going to be spikes, like, yeah, sure it might be annoying, but it’s completely different from seeing the same old addresses hit over and over again week after week. If you have this enormous spike once a year, it maybe sets off a different set of triggers or doesn’t set anything off at all.


Matthew Vernhout: (13:38)

Right. And I think we talked about it, being that you’re in Europe and likely deal with more, oh I am guessing here, but more localized senders just based on the way that I’ve seen, some of these things happen. Are there different rules that you look at for different geographic regions based on the sender location? Or do you treat everybody the same worldwide?


Atro Tossavainen: (14:07)

No, because it’s all the same. Engagement is Engagement, and we are not concerned about whether what you’re sending is legal or illegal, for that matter. We are reporting what somebody is sending to those who are helping them send it. And what happens next is basically up to you. If I know something about a specific sender, then I might let you know personally, such as that: I know these guys from 20 years ago; they started as spammers. They’ve always been spammers. They use sock pockets to defend themselves from Usenet, and they claim that they don’t even own this business, that it’s somebody else, it’s hacker X, that kind of stuff. So I might let you know about that, but in general, it’s not interesting to me.


Matthew Vernhout: (14:57)

Are there trends that you’ve seen over the last few years? Like obviously, everyone worked from home, and email became a much larger communication channel for businesses as a result of having to communicate with more people in a diverse location. We saw email volumes go up. Did you see a behavior change in your networks for more traps or less traps? Has it just kind of always been the same?


Atro Tossavainen: (15:23)

The volumes have been growing consistently over a long time. It’s partially down to adding more domains, like more data sources. That’s obvious, but the data volumes in the existing traps have increased. But you couldn’t say that there was like a stable period for a long time and then a sudden spike and then it stayed like on a new level, it’s just been growing consistently little by little.


Matthew Vernhout: (15:52)

And are you seeing trends in specific verticals? Do you track that? Is it more retail, is it more…


Atro Tossavainen: (16:01)

I couldn’t speak to that at all.


Matthew Vernhout: (16:03)

You don’t track that at all?


Atro Tossavainen: (16:04)

I wouldn’t know.


Matthew Vernhout : (16:05)

Right. Okay. And do you see it from more specific regions? Do you track regions like it’s worse in North America, worse in Asia?


Atro Tossavainen: (16:16)

No, I’m happy to leave that to Cisco Talos.


Matthew Vernhout : (16:21)

Let the others deal with geo-location. Yeah. What trends are you seeing, then? Are you seeing repeat people getting more aggressive? Are you seeing some people come and go?


Atro Tossavainen: (16:34)

In some geographies, the use of purchased lists is going down. And in general, the trend, at least here in Europe where we have the GDPR, the wonderful magic thing is that the use of purchase lists for B2B spamming is going down. With North American ESPs/customers, maybe that’s not the case because the legislation is different. Even though the terms of service of everybody, your operation, the top three Salesforce, SendGrid, MailChimp, those people, they’ve always been like that, but somehow these people figure that they can fly under the radar.


Matthew Vernhout: (17:20)

Yeah. When the anti-spam legislation came into force here in Canada, the list rental/list purchase industry locally basically evaporated overnight.


Atro Tossavainen: (17:34)

Oh, wow. Really?


Matthew Vernhout : (17:36)

Because the legislation scared brands enough that they didn’t want to supplement, at least, this is 10 years ago now; things may have changed. But brands were always very concerned, like: am I gonna get a huge fine by using third-party data? I remember at the time list brokers were all very concerned that their business model was evaporating. You could have found ways to make it work; it just became economically unviable. And maybe that’s the solution we need to continue to impact, to change; and services like yours, Spamhaus and services like that, do change the economics for customers or brands or scammers by forcing them to evolve and change their practices. Now, I think from experience, I would say not everyone is right all the time. What’s your experience regarding things like false positives or brands that are trying to do the right thing but somehow trip and have issues?


Atro Tossavainen: (19:00)

The thing is that since we’re not reporting anything to block, we are reporting this is what we see from you. And the only way that there would be a false positive is if our network identification was wrong. But since we base that network identification on the information you’ve given us deliberately, when we aren’t collaborating, we look at their SPF – obvious things like network range ownership, autonomous system ownership, and things that are discoverable and decipherable from public data on the internet. We try to identify, okay, so AS11377 is SendGrid, anything that comes from there is SendGrid, we tag it as SendGrid. Right? And there’s no way that can go wrong unless SendGrid outsources part of their network to somebody else who has absolutely nothing to do with them; which would seem unlikely. So we report what we see from your network; what to do with it is up to you. Sometimes you see a spike from a specific customer; sometimes, you see a constant trickle of messages from another customer. And what you do with that is entirely up to you. We are not telling you that you should consider this in any specific way. So it’s really impossible to answer that question. It kinda doesn’t apply.


Matthew Vernhout: (20:26)

Got it. That’s true. That’s another difference regarding the research you do. It’s more ‘here’s everything we’ve seen’ as opposed to ‘here’s everything we’re blocking or recommend being blocked’. Based on the pattern we see which in some cases leads to a false positive or false negative. So it’s a little different with regards to the things you do from the bigger service picture. With regards to what your platform is doing, are there other things with regards to collaborations with either brands or service providers that we haven’t discussed that you do?


Atro Tossavainen: (21:10)

Some of our spam traps are stuff that we don’t actually use for this ESP collaboration. We figure that those traps are stuff that we absolutely want to protect. We try to give you enough meta-data to work with so that you know which customer of yours is sending something, roughly when, and so on. And the meta description of what kinds of traps we’re hitting. But we also collect domains specifically for bulk data sharing. So we have this domain name and whatever comes to it is passed verbatim to someone else who is in a position to do something with full message contents, such as the URLs in the messages. Evaluating them for maliciousness or file attachments in the messages is the same. Some partners are interested in the file attachments because they are looking for new viruses. Some of the partners are looking for general badness on the internet, trying to get malicious resources taken down. So we do that too. And it’s just a slightly different aspect.


Matthew Vernhout: (22:20)

That makes sense. You don’t want to put all your cards on the table, right? I think you want to have things out there that are working in the background and feeding information to companies that are covering things that you are not.


Atro Tossavainen: (22:35)

Exactly. Because we couldn’t possibly cover all of those aspects.


Matthew Vernhout : (22:41)



Atro Tossavainen: (22:42)

There are companies who are already in that business; they just need any amount of data sources. The more, the merrier.


Matthew Vernhout : (22:50)



Atro Tossavainen: (22:54)

When we can help them get more data, that’s a win-win.


Matthew Vernhout: (23:02)

Absolutely. From your other experience, looking back over the things that we did, during the intro we talked about, protecting networks and doing that research… Are there pieces that you’re looking at in regards to, or maybe even the feedback you get from those partners, in regards to trends around phishing, which is up and down all the time, like the APWG, an anti-phishing working group that publishes a lot of data around phish trends and spikes? Do you see similar trends in your network when you’re looking? Or do you even look to say like, this is phishing content?


Atro Tossavainen: (23:49)

Yeah. Not very systematically I must admit, but my pet peeve happens to be B2B spam to purchase lists, which of course you have seen on our social interactions any number of times. But since I keep watching a set of email addresses which we have explicitly identified as either still belonging to an active business or once having belonged to an active business, I’ve got a set of maybe 1500 in various geographies where I know that anything coming to this is coming to the address of an active business who have registered it once upon a time in their local business register or on a webpage somewhere and never bothered changing it. When they should have found out that their email provider went belly up and they no longer have access to their email address, or haven’t had in 20 years.


Matthew Vernhout : (24:50)



Atro Tossavainen: (24:51)



Matthew Vernhout : (24:54)

That’s one that always surprises me.


Atro Tossavainen: (24:55)

I watch it; I watch that kind of stuff. And, of course, those email addresses receive the phishing campaigns as well because if you are in a specific geography, you receive the phishing spam targeting businesses and customers of businesses in that geography. My Finnish spam traps receive bank phishing spam aimed at customers of Finnish banks. So I get that, and we observe and try to do something about those campaigns to help people get those resources taken down.


Matthew Vernhout: (25:29)

Especially if they’re from a known network, right? Where you see people, their customers, yours, you might reach out and be like: FYI phishing on your network over here, fix that.


Atro Tossavainen: (25:38)

That’s so uncommon, though.


Matthew Vernhout : (25:40)

That’s uncommon. That’s good, though.


Atro Tossavainen: (25:42)

Yeah, but the phishers try to use these throwaway VPSs for their sending, where they don’t really leave any trace. They can maybe pay using something less traceable than a credit card for those resources. And they are fly-by-night operations in that sense, or they come from networks in countries to the east of me.


Atro Tossavainen: (26:12)

Where nobody gives a crap.


Matthew Vernhout: (26:14)



Atro Tossavainen: (26:17)

And they can continue operating with impunity for years.


Matthew Vernhout: (26:20)

That’s an interesting point. Due to my geographic location close to the US, I tend to get a lot of phishing targeting the US, of course, targeting Canadian banks. I get a little bit to my domains that end in .ca I might get targeted towards Canadian stuff. Still, I get a lot more US-based phishing or more, you know, generic North American-based, which is always funny when it’s like Bank of America, which I don’t even have an account with; they don’t operate in Canada.


Atro Tossavainen: (26:54)

But then again, is your email address in .com?


Matthew Vernhout: (26:57)

Yeah. probably .com or something that’s not geo-specific.


Atro Tossavainen: (27:02)

Yeah,. if it’s not in .ca, then why would you get anything addressing Canadian entities?


Matthew Vernhout : (27:10)

Yeah, that’s fair enough.


Atro Tossavainen: (27:13)

.com is USA, you get to use it, I get to use it, but we’re just guests.


Matthew Vernhout: (27:24)

That’s, yeah, I’ve never heard anyone describe it that way. So going back to the idea of data. I am a big proponent of delivery issues that are always rooted in your data, how you collect it, how you manage it, and how you expire things out. When you’re talking, when you’re looking at the data aspect of things, what type of advice would you have for people to say like: you’re seeing issues? How do you go about fixing some of those issues or even investigating some of the issues maybe that you’re seeing?


Atro Tossavainen: (28:05)

You really don’t have an excuse for not monitoring your engagement and acting upon it. That’s the number one thing. Clean that stuff out when you’re sending emails over and over and getting absolutely no return on investment; cut that crap. Incidentally, it ends up cutting your spam traps as well. But it’s just a nice side effect. It’s not the main reason for that, but you should be doing it anyway.


Matthew Vernhout: (28:34)

Right. And I agree. I think there’s a limitation. I don’t see any excuse for someone being like: I’m mailing to a trap that existed 10 years ago or an address that existed 10 years ago, especially if it hasn’t opened or clicked an email in 10 years.


Atro Tossavainen: (28:48)

Yeah. A friend of mine works for a brand, and recently he ran an experiment. He basically took all the target addresses that they’re sending to, looked up the MX records of all of those domains, and then drooped the engagement by MX. And he found all these MXs, which basically consistently give zero engagement, zero opens. It’s so easy to pick out the obvious spam trap networks. And what you can do with that information is just, you know, cut out all the crap that is not engaging, and as a side effect, you cut out the spam traps.


Matthew Vernhout: (29:29)

Right. That’s a great example. I think it’s something that I’ve been an advocate of for a long time; it is the idea of sunsetting, right? How many times do you need to knock on someone’s door when they don’t answer before you stop knocking, right?


Atro Tossavainen: (29:46)

That’s the same.


Matthew Vernhout: (29:47)

Wasting money. It’s, so if you’re a daily mailer and you send 30 messages to someone, and they’ve never opened and clicked, why would you send message 31? If you are a monthly mailer? Maybe you will try for 12 campaigns, right? I think it’s the volume and number of attempts that you try.


Atro Tossavainen: (30:08)

Yeah. There is also the thing that if you’re mailing at all, you gotta keep using your list.


Matthew Vernhout: (30:15)



Atro Tossavainen: (30:16)

Absolutely no point in collecting a list, then not using it, and then three – four years down the line, coming back to it and going like: we have all these email addresses; wonder what happens if we use them. You can’t get the engagement. You can’t get the engagement data if you don’t use the list. So it’s essential from that perspective as well.


Matthew Vernhout: (30:35)

That’s a great point. Because I see that all the time where people are like: oh yeah, I’ve got 30,000 addresses I’ve collected from customers, paying customers over five years that I’ve never sent them an email. I wanna send them an email. I’ve done studies in the past, and I’ve done more than one, but it’s been consistent. I would say every time I’ve looked at it over the last two decades, the email churn rate is anywhere from 2 – 3% a month.


Atro Tossavainen: (31:04)



Matthew Vernhout: (31:05)

Right. So your list is turning over two to 3% of people a month because they’re changing email addresses, they’re changing jobs. And it might vary a little bit based on the industry. B2B might be slightly heavier than B2C, but that 3% churn a month, if you look at it, it’s 30% a year. If you’re looking at the 30,000 addresses you collected five years ago, almost 40% of that list doesn’t exist anymore.


Matthew Vernhout: (31:32)

Or more, 45%. Right?


Atro Tossavainen: (31:35)

Great point.


Matthew Vernhout: (31:36)

And that 45% might end up on your list or might end up in…


Atro Tossavainen: (31:42)

It probably already is.


Matthew Vernhout: (31:45)

And if it’s not your list, it could be someone else’s list, like Spamhaus or another provider.


Atro Tossavainen: (31:51)

The thing is, as soon as it makes it into anybody else’s list, you can’t even look at the messages that were not delivered. They were delivered, just not where you thought they were.


Matthew Vernhout: (32:00)

Right. Absolutely. That’s something I think is also important that people look at: well, they’re getting accepted, so I don’t understand why they aren’t bouncing. That’s actually a good conversation to look at because there’s a best practice that was written by the blog community. I believe there’s an RFC about it as well. I don’t remember the number, but around the idea of conditioning spam traps, to make them more reliable, if you will. Yes. What is your view on the idea of the conditioning domain? So when you buy a new domain that’s new to your platform, how do you condition it so that you can trust that it’s going to be reliable for the data you want to use it for?


Atro Tossavainen: (32:40)

When we started out, we made a point of observing that very specific BCP from mog, and we figured that any domain that, especially any domain that had existed before, any recycled domain, we’d condition it for a full 12 months before deploying it to production. But, there are some conflicting views over what constitutes proper conditioning. So our initial approach to that was having, having purchased the domain, keeping it without an MX for that 12 months so that your own service would tell you: I couldn’t even find anywhere to deliver this to. But apparently, this is harder for the senders to figure out than third-party balances. So, as a result of the conversation that also happened in said club, we decided to change that approach. We registered a new domain, we assigned an MX to it, and we told the MX to reject everything. So you get an explicit rejection for that 12 months or later before we actually enable it.


Matthew Vernhout: (33:50)

So you’ve changed, you’re getting a non-existent user bounce for 12 months after registration.


Atro Tossavainen: (33:56)

And that should be enough for everyone to figure out that this isn’t working. It’s not going to be working anytime soon. Right. And yet all of our recycled domains receive emails from professional senders who should know that.


Matthew Vernhout: (34:12)

Yeah. Which is interesting ’cause I’ve bought a couple of domains for personal reasons. Like I bought, my last name.com. Right. And it was owned by some random person for whatever reason. Yeah. As far as I could tell they weren’t anyone related for a number of years. And I was finally able to acquire it, just like I was finally able to acquire the .com, the.net, and the .ca of Email Karma. But again, it was previously owned by somebody. Yeah. and you’re right; I conditioned all those domains. I returned; I think I set them to MX local hosts so they would bounce.


Atro Tossavainen: (34:55)

You shouldn’t do that. That’s the wrong answer.


Matthew Vernhout: (34:59)

But I’m also not using it for tracking spam behavior. I’m using it for personal use. But yeah, you know, there are still people that send me emails at these old domains. Yeah. I had a friend pass away, and I bought their domain name after it had been non-existent for a couple of years because, yeah, you know, I am doing a favor in their memory, if you will, to make sure that their old social accounts aren’t getting taken over and being used for other nefarious things. So, you know, there are reasons that you want to collect emails sometimes, you know. I’m not doing anything with it other than, you know, like a Twitter account was trying to be compromised. A steam account was trying to be compromised. And so I went in and reset the password and closed all those accounts.


Atro Tossavainen: (35:50)

Defensive registrations.


Matthew Vernhout: (35:53)

Yeah. They’re definitely defensive or multi; in my case most of them are the same domain, just different TLDs (Top-Level Domains). For the same reason, defensive – sometimes it’s better to own a .com than a .net.


Atro Tossavainen: (36:09)



Matthew Vernhout: (36:10)

Right. And you get better traffic that way, apparently. So, when you’re looking at registering domains, what are the things you look for?


Atro Tossavainen: (36:21)

You’d really need to speak to my colleague Beck on this. But basically, what we’re trying to do is that since we’re a small business and we can’t afford the entire collection of the world’s free domains, we have to try to focus our resources. We have to try to make sure that the $10 a year that we pay for a single domain results in email. So registering a domain that is somehow guaranteed to get a stream of email. It would be nice if it was a specific quality of email as well. Sometimes you can even tell that, but generally speaking, trying to make sure that all of the domains we get are somehow suspected, if not guaranteed outright, of getting some email as soon as we turn them on. That’s the focus.


Matthew Vernhout: (37:10)

Okay. So you’re looking for something that is likely to exist, a common typo maybe, or a variation.


Atro Tossavainen: (37:18)

We don’t see the traps in any way whatsoever. We are looking for things that have been preceded by random parties anywhere.


Matthew Vernhout: (37:28)

Right. Got it. And then, do you do any active seeding? Do you put stuff in discussion forums?


Atro Tossavainen: (37:35)

No. Hell, no.


Matthew Vernhout: (37:37)

That’s like old school.


Atro Tossavainen: (37:38)

You could say that. There’s one exception to that rule, though.


Matthew Vernhout: (37:43)

There’s always one exception.


Atro Tossavainen: (37:45)

Yeah. That is, friends with registered businesses in other geographies have helped us by putting instead of their own Gmail address a tagged address, a spam trap address as their business registration address. We share stuff that comes in with them so that they are not losing out on any important notices from their governments or anything like that, but we get to take the spam.


Matthew Vernhout: (38:13)



Atro Tossavainen: (38:14)

So that’s the only case where you put a pristine address in a business register somewhere to catch the B2B spam there.


Matthew Vernhout: (38:24)

That makes sense.


Atro Tossavainen: (38:25)

That’s the exception to the rule. But as for the recycled domains, the typo domains, just No. We are looking for things that have been preceded by whoever operated them before, or in the case, for example, the commonly known webmails, the commonly available typos of those. Big receiver platforms.


Matthew Vernhout: (38:45)

And that’s one of the things I sort of love about sort of the receiving security side of the industry, looking at what are the bad things that are happening, how do you fit into your sliver, your piece of the pie in regards to what you can offer. And if you’re helping, these are people that are being targeted based on business registrations or specific forced public information, if you will. In many places, you have to have a published address that is, you know, available or something that’s being harvested off a website. Those types of things. That’s a very specific niche, I think when it comes to the types of things that you’re doing for at least a portion of the business.


Atro Tossavainen: (39:39)



Matthew Vernhout: (39:40)

And I think that’s a great example of how working with multiple security vendors is also important to say you have, Surbl looking at URL Spam, you have your platform looking at sort of that B2B registration.


Atro Tossavainen: (40:00)

Or anything sent by a specific ESP.


Matthew Vernhout: (40:03)

Yeah. ESP.


Atro Tossavainen: (40:04)

Just anything at all.


Matthew Vernhout: (40:07)

Compared to maybe someone like Spamhaus is looking at malware, and APWG is looking at specifically phishing.  There are so many different pieces of the pie to look at and so many different…


Atro Tossavainen: (40:19)

Email is so rich with information. There are all these different things that you can focus on.


Matthew Vernhout: (40:25)

Yeah, absolutely. And I think even from a sending point of view; there are different things to look at. Some platforms work much more with small businesses; other platforms work much more with online retailers, etc. Is there a pattern that you see within the data sets across the different ESPs? Like, is someone like Netcore gonna be more likely to send you a specific class of email compared to somebody like maybe Constant Contact or MailChimp? Are you able to see the different types of senders across the platforms?


Atro Tossavainen: (41:03)

You were just mentioning this, different customer groups that the ESPs focus on. Once upon a time, I used to publish a blog on the mainsleze website where I would have this pie chart of how much we’d received from the ESPs, and also this bar chart of the relative badness, as I called it, of the ESPs. And this was basically a figure where I divided the number of messages received from each ESP by the number of different senders that we had observed on the platform. And it was obvious that some of the platforms had enormous amounts of really small customers, and others had relatively small numbers of customers each sending a lot. So, you can definitely tell that if you’re looking at that, you can identify how many distinct customers your platform has.


Matthew Vernhout: (42:04)

I have to go back and find the archives on this.


Atro Tossavainen: (42:07)



Matthew Vernhout: (42:08)

You stopped publishing them. So I’ll have to go back and find the archives.


Atro Tossavainen: (42:11)

I’m just lazy. Life gets in the way.


Matthew Vernhout: (42:17)

Haha, that’s awesome. Yeah. That’s great. I get that too. ’cause, like, I used to be very prolific at writing and then slowed down, and I’m starting to get back into writing.


Atro Tossavainen: (42:28)

You know… family, the music.


Matthew Vernhout: (42:32)

The music, yeah.  I gotta get practising on that too. So that’s one more thing to put on the pile. So, yeah. All right I guess. Any sort of final thoughts that you have when it comes to senders and things that they should maybe be considering, when it comes to their data, how they’re sending email and maybe, the obvious thing that they’re missing and sort of ending up in your cross hips.


Atro Tossavainen: (43:03)

If everybody was monitoring their engagement and acting upon it, we wouldn’t have a job. So go ahead and do it. Put us out of business.


Matthew Vernhout: (43:14)

I think I’ve used that for a long time too. The whole idea of, I’ve always tried to work myself out of a job by solving all the problems on a network. But there’s always something new. There’s always a different day, there’s a new technology that needs to be evaluated and implemented.


Atro Tossavainen: (43:34)

There’s always going to be all that bad spam that doesn’t even pretend to be legitimate. And there’s always going to be work to be done monitoring that, reporting that, acting upon that. But, all of this ESP stuff, since an overwhelming majority of the ESP customers are trying to be legitimate somehow and relevant… Don’t be irrelevant. Don’t send it to addresses that don’t do anything with it. Stop wasting your money and put us out of that kind of business, at least.


Matthew Vernhout: (44:08)

Actually, I just thought of one more question I wanted to ask. How important to you or maybe under the Koli-Lõks OÜ importance but also your own personal experience, how important is authentication and implementing SPF, DKIM, DMARC etc.


Atro Tossavainen: (44:28)

Well, it makes it easier to assign blame, obviously, but it’s kind of – it matters to the receivers, the recipients as well. To us, it’s really for the use case that we have with ESPs; for example, we are trying to look at the IP ranges that ESPs are sending from. And their SPF and DKIM don’t really matter. Well, SPF is kind of like if we don’t have the information straight from the horse’s mouth as a result of a conversation with a customer or prospective customer, then SPF is where we go to if not as numbers. So in that sense, that’s important. If you’re sending from someone else’s cloud, then, of course, DKIM matters that much more. And we can say that SendGrid, Netcore, MailChimp, and Salesforce sign this email. So it must be from them. And then, we can attribute that to you, and we can report that to you based on that. But in the sense that it’s not really a focus for us. But of course, when you’re receiving email, it’s one of the most important things to be able to tell that this actually came from the domain that it pretends to have come from.


Matthew Vernhout: (45:51)

Now, I’m assuming you see a lot of Phishing as well in your tracks that’s not being sent by a brand. Do you engage with those brands and tell them where you’re seeing phishing from or the types of things? Or is that not really in your purview, either?


Atro Tossavainen: (46:07)

It would be interesting to do that, especially with the local banks that we have personal connections with. Like, I’m a customer of this bank, and that bank right here in Finland, and I could tell them that we get all this information that’s phishing their customers. But then again, there’s usually no point in trying to engage the brand itself. The local CERT takes care of that.


Matthew Vernhout: (46:33)



Atro Tossavainen: (46:34)

And we report to them. We report to the local CERT.


Matthew Vernhout: (46:37)

Got it.


Atro Tossavainen: (46:38)

They take it further.


Matthew Vernhout: (46:39)

That makes a lot of sense. ’cause it’s probably a centralized spot they can track and trend.


Atro Tossavainen: (46:46)

Of course, relying on the government to do something for you is usually a mistake.


Matthew Vernhout: (46:53)

Well, let’s hope it makes some difference as we go. So Atro, I want to thank you very much for joining me. I love having conversations with you, and would like to see you again in person very shortly.


Atro Tossavainen: (47:07)

In New York.


Matthew Vernhout: (47:08)

Hopefully, fingers crossed. Anything you wanna plug in with regards to if someone wanted to reach out and had questions or wanted to check out your website, where would you send them?


Atro Tossavainen: (47:24)

Well, to check out the website, Koliloks.eu, but if they wanted to reach out to me, me personally, for whichever reason, there’s a spam track domain that they can write to, to throw that fake.


Matthew Vernhout: (47:40)

And you’ll be sure to respond.


Atro Tossavainen: (47:42)

My namesake domain, it’s actually my namesake domain, is something that existed before. It was a brand owned by a local business, and they ceased using that brand and just rebranded, and I snapped it and I started looking at what’s coming in and it’s like: this company has stopped using this brand in their operations three years ago, and the email addresses half a year ago or a year ago. Why is this still coming in? And it’s kind of what got me started.


Matthew Vernhout: (48:10)

Right. So I would say if you’re interested in the topics that we talked about today and learning more, you can follow Atro on LinkedIn. He’s very prolific there. Has a lot of great insights. And hopefully, you don’t see your name show up in his feed or your business name show up in his feed one day. Otherwise, we’ll put Koli-Lõks website in the notes so you’ll be able to go and check out their website. If your ESP is not working with them, you may ask your ESP why. Because having that data and understanding your own trends is important. And not being surprised by your ESP one day when you can’t access the platform due to behavior issues, is certainly something I would also say is important to understand. So, once again, Atro, thank you very much, and for everyone else out there, I hope you enjoyed today’s show. Looking forward to seeing you on the next show. And thanks for joining us. Don’t forget to hit like, subscribe and share this with your friends.


Outro: (49:13)

You’ve been listening to the ‘For The Love of Emails’ podcast, powered by Netcore. Hit subscribe in your favorite podcast player to make sure you never miss an episode. To learn more about effective email communications and engagement through AI-powered email solutions, visit netcorecloud.com. The only global email engagement leader delivering marketing ROI and value to 25+ global unicorns and 6,500+ brands for over two decades.

Unlock unmatched customer experiences,
get started now
Let us show you what's possible with Netcore.