For once, I won’t be talking about cybersecurity, but about reputational risk.

Receiving a spam email promoting a local company led me to try to trace the origins of this rigged market that claims to sell “qualified” and “legal” email addresses.

What I uncovered were concealment practices that go as far as abusing one client’s trust to serve another. And this is in Europe, where a privacy law such as GDPR is supposed to be in full swing.

The spam too many

It all started with yet another spam email, this time advertising a software solution. Let’s call it ACME.com. The email was unsolicited (and thus landed straight in my spam folder).

I don’t know this company, I’ve never interacted with it, and I’ve never asked to receive information from it. This is therefore a clear case of illegal collection of my email address. The company would in fact be unable to prove my “opt-in” (I’ll come back in a future article to how scammers obtain such email addresses illegitimately).

Still, since the company is local, I decide to unsubscribe. Naively, I assume that such a company doing email outreach, even if illegally at first, must at least comply with the famous GDPR when it comes to unsubscribe requests.

And while looking at the unsubscribe link (old habits die hard), I discover that it points to a very respectable national industrial group specializing in industrial cleaning, including dry ice blasting. Let’s call it Group-clean.com.

Dry ice blasting might be useful to some people’s email databases, but as things stand, I struggle to see the connection between these two companies. I struggle even more to imagine a perfectly legitimate industrial group, with nothing to do with digital marketing, lending its domain to spammers. At this point, I am also tempted to rule out a domain compromise for the sakes of Occam’s razor. I’m therefore very curious to understand what Group-clean.com is doing in this spam setup.

A ménage à trois…

By following the unsubscribe link, I discover that it points to a well-known email marketing platform. Let’s call it TheEmailer.com.

These perfectly legitimate platforms do not provide email lists; they allow their customers to send bulk emails using their own lists. And TheEmailer.com’s terms and conditions are very clear: customers may only use email addresses collected in compliance with GDPR. In particular, the recipient must have explicitly agreed to be contacted, and must know what they are agreeing to be contacted about.

Clearly, the email I received is in blatant violation of the platform’s terms of use.

The question remains: who sent it?

And that’s where we tumble down the rabbit hole.

Thanks to the magic of LinkedIn, I reach out to everyone involved to try to understand how this ménage à trois works: ACME.com, Group-clean.com, and TheEmailer.com.

And everyone appears genuinely surprised…

…then four

ACME.com seems shocked—borderline outraged—to be labeled a spammer. Their head of marketing tells me they use their own tool for email campaigns, that they do not do cold spamming, and that I’m not even in their database.

More importantly, they don’t know the salesperson who supposedly signed the email—despite it clearly being sent in their name.

That’s when I notice that although the signature displayed ACME.com, the email was actually sent from the domain ACME-software.com. A small but very real difference.

A quick WHOIS lookup later, a fourth player enters the picture: a Paris-based marketing agency promising “high value-added leads” on its website. Let’s call it MegaLeads.fr.

They registered the ACME-software.com domain less than two weeks ago. I then look at the mobile number shown in the spam signature. It turns out to be with an MVNO, and a quick OSINT search yields nothing. Most likely a temporary number, used only for spam campaigns.

I inform ACME.com’s head of marketing, who tells me she has never heard of MegaLeads.fr.

Not believing in the concept of the benevolent spammer, I start imagining a scenario where someone at ACME.com decided to launch a campaign on their own, without informing marketing. That would explain the use of ACME-software.com: since the agency cannot send emails from the main domain without proof of ownership (email platforms require this), it’s easier to impersonate the client by registering a similar domain under their own control (yes, criminals do exactly this for phishing campaigns).

In short, we already knew about shadow IT. Welcome to shadow marketing.

The magic of social networks

We’ve made progress, but I still need to understand what Group-clean.com is doing in this mess.

That’s when I’m contacted privately by someone who clearly knows the territory. They suggest I check whether Group-clean.com might also be a client of MegaLeads.fr, just in case.

One quick Google dork later, I have my answer: Group-clean.com does indeed appear to be a MegaLeads.fr client. I suggest my contact consider a career in Cyber Threat Intelligence. He simply replies: “When you see enough shit, you can smell it from far away.”. Good enough.

LinkedIn comes to the rescue once again. Through a mutual contact, I finally manage to speak with the CEO of Group-clean.com. He confirms having worked with MegaLeads.fr, but to his knowledge only for SEO. Which should not involve creating such a subdomain in his company’s name—let alone using it as an unsubscribe link in another company’s spam campaign.

Unsurprisingly, he is furious.

MegaLeads’ response to its client

Meanwhile, ACME.com’s head of marketing is conducting her own investigation. She learns that a newly hired sales manager took it upon herself—without informing marketing—to order a campaign from MegaLeads.fr. When contacted, MegaLeads.fr acknowledged a “cache error” that supposedly caused the wrong domain to be used for the unsubscribe link (my LinkedIn contact, for his part, had previously bet on “an intern’s mistake, sorry”. Close enought to give him the win).

We will obviously never know the full truth. Human error is entirely possible. However, when I reviewed the spam emails I’ve received from MegaLeads.fr over the past six months, I found several similar “cache errors”:

• Two domains registered by MegaLeads.fr itself (one about cyber resilience, one about TLS certificates) used as unsubscribe links for mobile app development studios. Completely unrelated. Likely an attempt at concealment—but at least the unsubscribe domain is under MegaLeads.fr’s control.

• Two sister companies whose domains are swapped between the spam sender and the unsubscribe link. Still deceptive, but at least it stays in the family.

• A deactivated domain (for rugged laptop sales) registered by the Cayman Islands branch of an Israeli company selling IT asset management solutions. This improbable domain is used as the unsubscribe link for spam promoting a French corporate expense management company. I assume they are unaware of this little arrangement.

• The domain of a company reselling the HubSpot CRM, used as the unsubscribe link in spam for a French generalist consulting firm. I’d bet the former doesn’t know either.

That’s a lot of cache errors.

How to protect yourself

First and foremost, understand that a qualified lead can only come from a content campaign (white paper, study, etc.) or from an event the user attended and explicitly agreed that you could contact them. And they expect you to contact them about the specific topic that led them to give you their email address in the first place.

I’m not a GDPR expert, but even the famous checkbox saying “I agree to receive information from our business partners” doesn’t really meet the requirements in this context.

So agencies that sell “high value-added leads” without being able to clearly explain where they come from are, in reality, selling hot air.

An agency that sells genuinely qualified leads will support you in creating high-value content or organizing events, and will orchestrate the whole thing (there’s plenty to do). In other words, it helps you talk about you to your prospects, and then collects their consent. That’s a real profession.

How can anyone seriously imagine that some generic agency can magically provide you with entire lists of contacts who are dying to hear from you? It doesn’t exist. It’s called spam. These contacts didn’t ask for anything, don’t know you, and when they receive your email, many will at best ignore you—and at worst, actively dislike you.

And if, on top of that, you end up in Group-clean.com’s position, you find yourself unwillingly associated with a spam campaign that has nothing to do with you, simply because a few months earlier you picked the wrong horse for a basic SEO engagement.

Worse still: by associating your domain name with a spam campaign, the agency risks lowering its trust score, which can eventually cause problems for your employees. Legitimate emails may land in spam more often—or be rejected outright.

In short, rather than dreaming of “magically” buying prospects, it’s far better to roll up your sleeves and build a real, solid content marketing strategy, and to participate in relevant events. That’s the only way to generate qualified leads. Real ones.